nsh.8

.\"     $OpenBSD: nsh.8,v 1.2.3 2024/09/17 17:57:00 UTC chrisc $
.\"
.\" Copyright (c) 2002-2024 Chris Cappuccio.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: September 17 2024 $
.Dt NSH 8
.Os
.Sh NAME
.Nm nsh
.Nd network configuration shell
.Sh SYNOPSIS
.Nm nsh
.Op Fl ev
.Op Fl i Ar rcfile
.Op Fl c Ar config-script-file
.Sh DESCRIPTION
.Nm
is a command interpreter intended for both interactive and shell script use.
.Nm
is an alternative to:
.Xr ifconfig 8 ,
.Xr sysctl 8 ,
.Xr route 8 ,
and encapsulates configuration for other daemons into one place.
.Nm
provides an alternative to:
.Xr netstart 8
and parts of
.Xr rc 8 .
.Nm
has its own command language similar to the configuration language used by
many network appliance vendors.
.Pp
.Nm
encapsulates the many available networking services and daemons that are
included in
.Ox
base, see the
.Sx SEE ALSO
section for a complete list.
.Pp
.Nm
is a shell to configure
.Ox
kernel's networking functions such as routing
of packets, firewalling, network address translation, rate limiting,
bandwidth queueing, LAN bridging, IP tunnelling, and encryption.
.Nm
provides simple wrappers around these functions to aid setting up a network.
The goals of this software are:
.Bl -dash
.It
Make the command syntax uniform
.It
Bring all configuration together in a single configuration file
.It
Provide a wrapper for any
.Ox
ctl utility such as
.Xr ospfctl 8 ,
.Xr ipsecctl 8 ,
and
.Xr bgpctl 8 .
.El
.Pp
.Nm
encapsulates those configuration files, so that their native configuration
files are encapsulated within the
.Nm
configuration framework.
.Nm
does not in any way obfuscate the configuration syntax that is utilised or
provided by these ctl.c based programs.
.Nm
allows the administrator to view and edit all configuration in one place.
.Ss COMMAND LINE ARGUMENTS
When
.Nm
is run without arguments it loads an interactive shell.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl v
Produce verbose output
.It Fl c Ar config-script-file
Execute the command(s) in the
.Ar config-script-file .
This is typically used to implement scripted changes to configuration.
.It Fl i Ar rcfile
Load the initial system configuration from the command(s) in the
.Ar rcfile .
This is typically used to clear the configuration and load a full
.Nm
configuration script from rcfile .
.It Fl e
Start
.Nm
in a privileged mode session.
This option is not intended to be used directly.
It is used internally by
.Nm
while restarting itself with root privileges when a non-root user runs the
.Cm enable
command.
.El
.Ss INTERACTIVE FEATURES
When run without any command line arguments,
.Nm
presents an interactive shell to the user.
If
.Nm
is run as root user then
.Nm
shall start as a privileged full functionality shell.
If
.Nm
is run as a non-root user then
.Nm
shall start as an unprivileged and limited functionality shell.
Privileged
.Nm
shell functionality can be enabled using the
.Cm enable
command.
.Pp
All
.Nm
interactive command line modes allow basic command line editing features from
.Xr editline 7
library.
The command history of the current session is available through the up / down
arrow keys.
.Pp
It is possible to repeat the commands from the command history.
.Pp
Any command can be abbreviated as long as the abbreviation is not ambiguous.
E.g. 'show running-config' can be abbreviated to 'sho run'.
.Pp
If the user enters a command that is ambiguous
.Nm
warns the user with 'Ambiguous argument' message,
E.g. ambiguous command entry.
.Bd -literal -offset indent
nsh/show i
% Ambiguous argument i
.Ed
.Ss Command line completion
.Nm
has double <Tab> command line completion for user convenience if the command
is not ambiguous double <Tab> completes the command.
.Pp
E.g show all available valid commands  with double tab key sequence <tab><tab>
.Bd -literal -offset indent
nsh(config-p)/
!		enable		ldap		ping6		show
?		exit		ldp		pipex		smtp
arp		flush		logger		powerdown	snmp
bgp		ftp-proxy	manual		quit		ssh
bridge		group		motd		rad		sshd
clear		halt		mpls		reboot		telnet
configure	help		nameserver	relay		tftp
crontab		hostname	ndp		resolv		tftp-proxy
ddb		ifstate		no		rip		traceroute
dhcp		ike		nppp		route		traceroute6
disable		inet		ntp		rtable		unsetenv
do		interface	ospf		sasync		verbose
dvmrp		ip		ospf6		saveenv		who
editing		ip6		pf		scheduler	write-config
eigrp		ipsec		ping		setenv
nsh(config-p)/
.Ed
If what is typed is ambiguous double tab presents the administrator
with the available command line options that match what has been typed thus
far.
.Pp
E.g. command line completion display for all commands begining with i
.Bd -literal -offset indent
nsh(config-p)/i
ifstate         inet            ip              ipsec
ike             interface       ip6
.Ed
.Ss Command History
Use the up arrow on most keyboards to review the previous commands entered in
the current session.
The command being currently viewed can be repeated by hitting enter.
.Ss Reversing Commands
.Nm
commands can be reversed in the following ways:
.Bl -dash
.It
Any affirmative commands that do not contain
.Ic enable
keyword can be reversed
with the
.Ic no
keyword in front of the affirmative version of the command.
e.g. reverse allowing IP packet forwarding.
.Bd -literal -offset indent
nsh(config-p)/ip forwarding
nsh(config-p)/no ip forwarding
.Ed
.It
Any affirmative commands that contain
.Ic enable
keyword can be reversed
with
.Ic disable
keyword.
E.g reverse enabling packet filter firewall command.
.Bd -literal -offset indent
nsh(config-p)/pf enable
%pf enabled
nsh(config-p)/pf disable
%pf disabled
.Ed
.El
.Ss Standard Prompt vs Privileged Prompt vs Configuration mode Prompt
.Tg disable
.Tg unprivileged
.Tg shell
.Ic Standard Prompt
The shell starts out with an unprivileged prompt which displays as the text
of the FQDN (fully qualified domain name) of the machine followed by a
forward slash.
This unprivileged prompt will allow only basic diagnostic commands
and does not allow viewing sensitive configuration information.
.Bl -dash
.It
e.g. standard prompt of the device firewall.machine.com
.Bd -literal -offset indent
firewall.machinename.com/
.Ed
.El
.Pp
.Tg enable
.Tg privileged
.Tg shell
.Ic Privileged Prompt
The privileged shell is accessed using the
.Cm enable
command.
It allows the administrator to run privileged diagnostic commands.
If external commands are enabled, external commands can be invoked by
the user in privileged mode.
The privileged mode alone will not allow changes to the system via
.Nm
commands.
The privileged shell is indicated by the FQDN of the machine followed
by (p) and followed by a /
.Bl -dash
.It
E.g. privileged shell prompt of the device firewall.machine.com
.Bd -literal -offset indent
firewall.machinename.com(p)/
.Ed
.El
.Pp
.Tg configure
.Tg config
.Ic Configuration Mode Prompt
The
.Cm configure
command allows the administrator to make changes to the system
configuration.
This additional command is a safeguard against accidental configuration
of a system.
I.e. a user can run privileged diagnostic commands, however without
configuration mode being enabled,
.Nm
will not permit any modifications to the system configuration.
.Pp
E.g. user elevating privileges from privilege disabled, to enabled privilege
mode and finally configuration mode on a system called hostname.nsh.org
.Bd -literal -offset indent
% NSH v1.1
hostname.nsh.org/
hostname.nsh.org/enable
hostname.nsh.org(p)/
hostname.nsh.org(p)/configure
hostname.nsh.org(config-p)/
.Ed
.Pp
For the purposes of this manual, any examples the machine is called
.Nm
.
.Bl -dash
.It
E.g. standard prompt appearing in examples in this manual
.Bd -literal -offset indent
nsh/
.Ed
.It
E.g. privileged prompt appearing in examples in this manual
.Bd -literal -offset indent
nsh(p)/
.Ed
.El
.Sh INTERACTIVE COMMANDS
.Tg help
.Ic ? | help
.Op nsh-command
.Pp
Display available commands and options that can used in the current
.Nm
mode.
The help or ? can be followed by a
.Nm
command,
.Nm
displays the purpose of the specified command.
.Bl -dash
.It
E.g. display help on the rtable command
.Bd -literal -offset indent
nsh(config-p)/? rtable
% rtable: Routing table switch
.Ed
.It
E.g. display help for all available commands in privileged mode
.Bd -literal -offset indent
nsh(p)/help
% Commands may be abbreviated.
% Commands are:

  rtable        Routing table switch
  show          Show system information
  flush         Flush system tables
  enable        Enable privileged mode
  clear         Clear the terminal screen
  disable       Disable privileged mode
  ping          Send IPv4 ICMP echo request
  ping6         Send IPv6 ICMP echo request
  traceroute    Print the route to IPv4 host
  traceroute6   Print the route to IPv6 host
  ssh           SSH connection to remote host
  telnet        Telnet connection to remote host
  reboot        Reboot the system
  logger        Write a message to syslog on the system
  halt          Halt the system
  powerdown     Power the system down
  write-config  Save the current configuration
  verbose       Set verbose diagnostics
  editing       Set command line editing
  configure     Set configuration mode
  who           Display system users
  do            Superfluous, do is ignored and its arguments executed
  setenv        Set an environment variable
  unsetenv      Delete an environment variable
  saveenv       Save environment variables set by setenv to ~/.nshenv
  !             Invoke a subshell or run an executable
  ?             Print help information
  manual        Display the NSH manual
  exit          Leave configuration mode and return to privileged mode
  quit          Close current connection
nsh(p)/
.Ed
.It
E.g. display help for all available commands in config  mode
.Bd -literal -offset indent
nsh(config-p)/?
% Commands may be abbreviated.
% Commands are:

  hostname      Set system hostname
  interface     Modify interface parameters
  rtable        Routing table switch
  group         Modify group attributes
  arp           Static ARP set
  ndp           Static NDP set
  nameserver    set or remove static DNS nameservers
  bridge        Modify bridge parameters
  show          Show system information
  ip            Set IP networking parameters
  ip6           Set IPv6 networking parameters
  mpls          Set MPLS network parameters
  ddb           Set DDB parameters
  pipex         Set PIPEX parameters
  flush         Flush system tables
  enable        Enable privileged mode
  clear         Clear the terminal screen
  disable       Disable privileged mode
  route         Add a host or network route
  pf            Packet filter control
  ospf          OSPF control
  ospf6         OSPF6 control
  eigrp         EIGRP control
  bgp           BGP control
  rip           RIP control
  ldp           LDP control
  relay         Relay control
  ipsec         IPsec IKEv1 control
  ike           IPsec IKEv2 control
  dvmrp         DVMRP control
  rad           Router advertisement control
  sasync        SA synchronization control
  dhcp          DHCP server control
  snmp          SNMP server control
  ldap          LDAP server control
  smtp          SMTP server control
  sshd          SSH server control
  ntp           NTP synchronization control
  nppp          PPP server control
  ifstate       ifstate server control
  ftp-proxy     ftp-proxy server control
  tftp-proxy    tftp-proxy server control
  tftp          TFTP server control
  resolv        Resolver configuration control
  motd          Message of-the-day
  crontab       Configure scheduled background jobs
  scheduler     Configure scheduled background jobs
  inet          Inet super-server control
  ping          Send IPv4 ICMP echo request
  ping6         Send IPv6 ICMP echo request
  traceroute    Print the route to IPv4 host
  traceroute6   Print the route to IPv6 host
  ssh           SSH connection to remote host
  telnet        Telnet connection to remote host
  reboot        Reboot the system
  logger        Write a message to syslog on the system
  halt          Halt the system
  powerdown     Power the system down
  write-config  Save the current configuration
  verbose       Set verbose diagnostics
  editing       Set command line editing
  configure     Set configuration mode
  who           Display system users
  do            Superfluous, do is ignored and its arguments executed
  setenv        Set an environment variable
  unsetenv      Delete an environment variable
  saveenv       Save environment variables set by setenv to ~/.nshenv
  !             Invoke a subshell or run an executable
  ?             Print help information
  manual        Display the NSH manual
  exit          Leave configuration mode and return to privileged mode
  quit          Close current connection
nsh(config-p)/
.Ed
.El
.Pp
.Tg manual
.Ic manual
.Op Ar search tag
.Pp
Display the
.Nm
manual page.
If a
.Ar search tag
is specified then jump to the first section matching this tag if one
or more matching tags exist.
.Pp
.Tg hostname
.Ic hostname
.Op Ar hostname
.Pp
hostname without arguments displays the current configured hostname
of the system.
hostname with an argument will set hostname to the argument's value.
.Bl -dash
.It
e.g. set hostname to the myfirewallname.com .
.Bd -literal -offset indent
nsh(config-p)/hostname myfirewallname.com
myfirewallname.com(p)/
.Ed
.El
.Pp
.Tg su
.Tg doas
.Tg sudo
.Tg enable
.Ic su
.Pp
An alias for the
.Cm enable
.Nm
command.
The
.Cm su
alias is to facilitate users used to running BSD systems elevate
privileges with a similar user experience to running
.Xr su 1
commmand in other shells.
See
.Cm enable
command below for more details.
.Pp
.Tg su
.Tg doas
.Tg sudo
.Tg enable
.Ic enable
.Pp
Start a privileged shell to allow the user to run privileged commands.
If an enable secret is set, the user shall be prompted to enter
the secret to access the privileged shell.
If neccessary,
.Nm
then attempts to obtain root privileges.
Depending on configuration, this step may require the user's password or
the root password to be entered.
Root privileges will be obtained via access rules in
.Xr doas.conf 5 ,
with a fallback to the root password.
For relevant configuration examples see
.Sx Section 7 Allowing users to run NSH
below.
.Pp
.Op no
.Ic enable Ar secret
.Pp
Set or the password that an administrator would enter to access the privileged
shell.
.Bl -dash
.It
e.g. Set a password manually to yourpassword
.Bd -literal -offset indent
nsh(config-p)/enable secret yourpassword
.Ed
.It
e.g. Set a password using a previously set encrypted password
.Bd -literal -offset indent
nsh(config-p)/enable secret blowfish $2b$10$kKSJFDd....NqIUaTCZ0=
.Ed
.El
.Pp
.Tg disable
.Ic disable
.Pp
Exit privileged mode.
Useful if you have completed configuration but still want the ability to run
diagnostics in an unprivileged
.Nm
shell.
.Pp
.Tg clear
.Ic clear
.Pp
Wipe contents of terminal and scrollback buffer and present a
.Nm
prompt at the first line of the active terminal.
See also
.Xr clear 1
for more information.
.Pp
.Tg rtable
.Tg rdomain
.Op no
.Ic rtable
.Op Ar table-id
.Op Ar name
.Pp
rtable when used with a specified table-id can execute services, diagnostic
commands (ping, traceroute) and set routes under alternate routing tables.
The default
.Ox
kernel can accommodate 256 rtables.
They have a 1:1 relationship with routing domains, except that routing domain 0
can contain multiple routing tables.
In addition, routing tables initialized prior to their corresponding
routing domain
.Xr rdomain 4
, shall be initialised with a routing domain of 0.
.Bl -dash
.It
e.g. Create a new routing table rdomain 3 create a loopback for rdomain 3.
.Bd -literal -offset indent
nsh(config-p)/interface lo3
nsh(interface-lo3)/rdomain 3
nsh(interface-lo3)/inet 127.0.0.1/8
.Ed
.It
configure a physical interface
.Bd -literal -offset indent
nsh(config-p)/interface em0
nsh(interface-em0)/rdomain 3
nsh(interface-em0)/inet 10.255.0.10/24
.Ed
.It
Once the rdomain has been initialized (by creating a loopback inside the
 rdomain) the administrator can add routes to the rtable.
.Bd -literal -offset indent
nsh(config-p)/rtable 3 customer label network3
nsh(p-rtable 3)/route 0.0.0.0/0 10.255.0.1
.Ed
.It
One can configure any service or daemon inside that routing domain e.g.
to setup ssh in rdomain 3
.Bd -literal -offset indent
nsh(p-rtable 3)/sshd edit
nsh(p-rtable 3)/sshd enable
.Ed
.It
The rtable command also supports unprivileged mode usage to execute
diagnostic commands in the respective route domain / VRF.
.Bd -literal -offset indent
nsh(p)/disable
nsh/rtable 3
nsh(rtable 3)/ping 10.255.0.10
%PING 10.255.0.10 (10.255.0.10): 56 data bytes
%64 bytes from 10.255.0.10: icmp_seq=0 ttl=255 time=0.090 ms
.Ed
.It
To leave the rtable menu the user can type rtable 0 to return to the main
routing table.
.Bd -literal -offset indent
nsh(p-rtable 3)/rtable 0
nsh(p)/
.Ed
.El
.Pp
.Tg group
.Op no
.Ic group
.Op Ar group-name
.Op Cm carpdemote
.Op demotion-counter
.Pp
Modify group attributes for the group-name named group.
TBC
.Pp
.Tg arp
.Op no
.Ic arp
.Op Ar IPv4-Address
.Op Ar MAC-Address
.Pp
Set or remove a static IP address and MAC address binding for Address
Resolution Protocol.
TBC
.Pp
.Tg ndp
.Op no
.Ic ndp
.Op Ar IPv6-Address
.Op Ar MAC-Address
.Op Cm temp
.Op Cm proxy
.Pp
Set or remove a static IPv6 address and MAC address binding for the
IPv6 Neighbour Discovery Protocol (NDP).
The entry will be permanent unless the word
.Cm temp
is given in the command.
If the word
.Cm proxy
is given, this system will act as an ND Proxy server,
responding to requests for
.Ar IPv6-Address
even though the MAC address is not its own.
.Pp
.Tg bridge
.Tg tpmr
.Tg veb
.Tg switch
.Tg layer2
.Op no
.Ic bridge
.Op Ar bridge-name
.Pp
Modify bridge configuration on the named bridge or layer 2
forwarding interfaces such as,
.Xr bridge 4 ,
.Xr veb 4 ,
.Xr tpmr 4 .
See also
.Ox
manual pages for
.Xr bridge 4 ,
.Xr veb 4 ,
.Xr tpmr 4
and
.Xr ifconfig 8
(accessible via the following
.Nm
commands):
.Bd -literal -offset indent
!man bridge
!man ifconfig
.Ed
.Bl -dash
.It
e.g. configure bridge settings on bridge1, and display bridge configuration
help.
.El
E.g show available bridge configuration commands.
.Bd -literal -offset indent
nsh(config-p)/bridge bridge100
nsh(bridge-bridge100)/?
% Commands may be abbreviated.
% Type 'exit' at a prompt to leave bridge configuration mode.
% Bridge configuration commands are:

  description   Bridge description
  member        Bridge member(s)
  span          Bridge spanning port(s)
  blocknonip    Block non-IP traffic forwarding on member(s)
  discover      Mark member(s) as discovery port(s)
  learning      Mark member(s) as learning port(s)
  stp           Enable 802.1D spanning tree protocol on member(s)
  maxaddr       Maximum address cache size
  timeout       Address cache timeout
  maxage        Time for 802.1D configuration to remain valid
  fwddelay      Time before bridge begins forwarding packets
  hellotime     802.1D configuration packet broadcast interval
  priority      Spanning priority for all members on an 802.1D bridge
  ping          Send IPv4 ICMP echo request
  ping6         Send IPv6 ICMP echo request
  traceroute    Print the route to IPv4 host
  traceroute6   Print the route to IPv6 host
  ssh           SSH connection to remote host
  telnet        Telnet connection to remote host
  logger        Write a message to syslog on the system
  do            Superfluous, do is ignored and its arguments executed
  setenv        Set an environment variable
  unsetenv      Delete an environment variable
  saveenv       Save environment variables set by setenv to ~/.nshenv
  rule          Bridge layer 2 filtering rules
  static        Static bridge address entry
  ifpriority    Spanning priority of a member on an 802.1D bridge
  ifcost        Spanning tree path cost of a member on 802.1D bridge
  link          Link level options
  txprio        Priority in tunnel protocol headers
  rxprio        Source used for packet priority
  vnetid        Virtual interface network identifier
  parent        Parent interface
  tunneldomain  Tunnel parameters
  protect       Configure protected bridge domains
  interface     Modify interface parameters
  shutdown      Shutdown bridge
  show          Show system information
  who           Display system users
  verbose       Set verbose diagnostics
  editing       Set command line editing
  !             Invoke a subshell or run an executable
  ?             Options
  manual        Display the NSH manual
  exit          Leave bridge config mode and return to global config mode
nsh(bridge-bridge100)/
.Ed
.Tg port
.Tg switchport
.Tg bridgeport
.Op no
.Ic member
.Op Ar interface-name
.Pp
Add a named interface as a member port to the layer 2 bridge device.
Using the no suffix removes the named interface from the layer 2
bridge device.
.Pp
E.g. configure a standard
.Xr bridge 4
device called bridge101 and add vlan 101 and vether101 as member ports.
.Bd -literal -offset indent
nsh(config-p)/bridge bridge101
nsh(bridge-bridge101)/member vether101
nsh(bridge-bridge101)/member vlan101
nsh(bridge-bridge101)/exit
.Ed
E.g. configure a virtual ethernet bridge
.Xr veb 4
device called veb101 and add vlan 101 and vether101 as member ports.
.Bd -literal -offset indent
nsh(config-p)/bridge veb101
nsh(bridge-veb101)/member vether101
nsh(bridge-veb101)/member vlan101
nsh(bridge-veb101)/exit
.Ed
E.g. configure a virtual ethernet bridge
.Xr veb 4
device called veb101 and add vlan 101 and vether101 as member ports.
.Bd -literal -offset indent
nsh(config-p)/bridge tpmr101
nsh(bridge-tpmr101)/member vether101
nsh(bridge-tpmr101)/member vlan101
nsh(bridge-tpmr101)/exit
.Ed
Note
.Xr tpmr 4
is a layer 2 mac relay and it does not have layer2 to physical
interface mac learning capabilities it is simply a relay, its
purpose is to minimise processing when forwarding packets
transparently between two and only two interfaces on a machine.
Consequentially not all bridge configuration commands will be accepted by
the system.
If an unsupported command is issued to a tpmr interface the system will
display the following when rejecting the configuration command
.Bd -literal -offset indent
% Inappropriate ioctl for device
.Ed
.Tg protected
.Tg isolation
.Op no
.Ic protected
.Op Ar interface-name
.Pp
This command requires that the named interface is already a member
of the layer 2 bridge device.
Add the named interface to a protected domain.
Any member ports in the same bridge in the same protected domain are
isolated from each other.
No layer 2 communication is possible between memers ports in the same
port protection group.
Protected domains allow for selective port isolation and or private
vlan functionality.
.Pp
E.g. enable port isolation between vether101 and vlan101 which are
member ports of the bridge veb101.
.Bd -literal -offset indent
nsh(config-p)/bridge veb101
nsh(bridge-veb101)/protect vether101 20
nsh(bridge-veb101)/protect vlan101 20
nsh(bridge-veb101)/exit
.Ed
.Tg ip6
.Op no
.Ic ip6
.Op Cm \&? | forwarding | mforwarding | multipath | maxifprefixes | maxifdefrouters | maxdynroutes
.Pp
Configure IPv6 networking parameters,
such as forwarding, multicast forwarding, multipath routing, etc.
.Bl -dash
.It
e.g. list available IPv6 configuration options
.Bd -literal -offset indent
nsh(config-p)/ip6
% Commands may be abbreviated.
% 'ip6' commands are:
  forwarding       Enable IPv6 Forwarding
  mforwarding      Enable IPv6 Multicast Forwarding
  multipath        Multipath routing
  maxdynroutes     Max IPv6 Dyn Routes
  ?                Help
.Ed
.El
.Pp
.Op no
.Ic ip6 forwarding
.Pp
Enable or disable forwarding (routing /NAT) of IPv6 packets through the
kernel.
.Bd -literal -offset indent
nsh(config-p)/ip6 forwarding
.Ed
.Pp
.Op no
.Ic ip6 forwarding
.Pp
Enable or disable forwarding of IPv6 multicast packets through the
kernel.
.Bd -literal -offset indent
nsh(config-p)/ip6 mforwarding
.Ed
.Pp
.Op no
.Ic ip6 multipath
.Pp
Enable or disable multipath routing for IPv6 addresses.
If multipath is disabled, only the first selected route is used for a
given destination regardless of how many routes exist in the routing table.
.Bd -literal -offset indent
nsh(config-p)/ip6 multipath
.Ed
.Pp
.Op no
.Ic ip6 maxdynroutes
.Op Ar max-route-value
.Pp
Set or disable the limit on maximum number of IPv6 routes created as a result
of incomming ICMPv6 redirects.
The max-route-value can be set to any value 0-20480 or -1.
A value of 0 prevents any routes being created as a result of incoming ICMPv6
redirects.
Set to -1 to disable the limit.
The default value for maxdynroutes is 4096.
.Bd -literal -offset indent
nsh(config-p)/ip6 maxdynroutes 8192
.Ed
.Tg mpls
.Op no
.Ic mpls
.Op Cm \&? | ttl | mapttl-ip | mapttl-ip6
Configure MPLS (Multi Protocol Label Switching) network parameters in the
kernel.
.Bd -literal -offset indent
nsh(config-p)/mpls ?
% Commands may be abbreviated.
% 'mpls' commands are:

  ttl         MPLS ttl
  mapttl-ip   MPLS mapttl IPv4
  mapttl-ip6  MPLS mapttl IPv6
  ?           Help
.Ed
.Pp
.Op no
.Ic mpls ttl
.Op Ar 0-255
.Pp
Configure the default MPLS (Multi Protocol Label Switching) TTL (time to live)
in the kernel for MPLS shim headers of generated (not forwarded) MPLS packets.
The default value is 255.
.Bd -literal -offset indent
nsh(config-p)/mpls ttl 64
.Ed
.Pp
.Op no
.Ic mpls mapttl-ip
.Op Ar 0-1
.Pp
Set or unset whether the kernel decrements the TTL of the IP packet
header that is encapsulated in mpls packet, when the packet is mpls label
switched (forwarded via MPLS).
This is useful when diagnosing failures in the forwarding path of an
MPLS tunnel.
If set to 0, the encapsulated payload IP header TTL is not modified while
passing through MPLS and the MPLS label stack.
The default value is 1.
.Bd -literal -offset indent
nsh(config-p)/mpls mapttl-ip 1
.Ed
.Pp
.Op no
.Ic mpls mapttl-ip6
.Op Ar 0-1
.Pp
Set or unset whether or not the kernel decrements the TTL of the IPv6
packet header that is encapsulated in mpls packet, when the packet is mpls
label switched (forwarded via MPLS).
This feature is useful when diagnosing failures in the forwarding path of an
MPLS tunnel.
If set to 0, the encapsulated payload IPv6 header TTL field is not modified
while passing through MPLS and the MPLS label stack.
The default value is 0.
.Bd -literal -offset indent
nsh(config-p)/mpls mapttl-ip6 1
.Ed
.Pp
.Tg ddb
.Op no
.Ic ddb
.Op Cm \&? | panic | console | log
.Pp
Configure or remove kernel debug (DDB) options.
.Bd -literal -offset indent
nsh(config-p)/ddb ?
% Commands may be abbreviated.
% 'ddb' commands are:

  panic    DDB panic
  console  DDB console
  log      DDB log
  ?        Help

.Ed
.Pp
.Op no
.Ic ddb panic
.Pp
Enable or disable dropping the system to the kernel debugger in the event of a
system panic.
By default, dropping to the ddb debugger in a system panic is enabled.
.Bd -literal -offset indent
nsh(config-p)/ddb panic
.Ed
.Pp
.Op no
.Ic ddb console
.Pp
Enable access to the kernel debugger from the console using an
architecture-dependent magic key sequence on the console or a debugger button.
When running
.Ox
with a
.Xr securelevel 7
greater than 0, this feature cannot be enabled.
By default accessing the ddb debugger from the console is disabled.
.Bd -literal -offset indent
nsh(config-p)/ddb console
.Ed
.Pp
.Op no
.Ic ddb log
.Pp
Enable or disable logging the output of the kernel debugger in the kernel
message buffer.
By default ddb debugger output logging to the kernel message buffer is
enabled.
.Bd -literal -offset indent
nsh(config-p)/ddb log
.Ed
.Pp
.Tg pipex
.Op no
.Ic pipex
.Op Cm  \&? | enable
.Pp
Enable or disable
.Xr pipex 4
processing on
.Xr pppac 4
and
.Xr pppx 4
interfaces.
.Xr pipex 4
handles PPP frames and forwards IP packets in-kernel.
It accelerates the performance of packet forwarding, because it reduces
copying of packets between kernel and userland.
By default pipex is disabled.
.Bd -literal -offset indent
nsh(config-p)/pipex enable
.Ed
.Pp
.Tg packetfilter
.Tg firewall
.Tg pf
.Ic pf
.Op Cm \&? | enable | disable | edit | check-config | reload
.Pp
Control the configuration and operation of the pf (Packet Filter) firewall.
.Bd -literal -offset indent
nsh(config-p)/pf ?
% Arguments may be abbreviated

   enable       enable pf firewall
   disable      disable pf firewall
   edit         edit, test and stage firewall rules
   check-config test and display staged firewall rules
   reload       test and apply staged firewall rules
nsh(config-p)/
.Ed
.Pp
.Ic pf edit
.Pp
Open the default editor for the user and allow the user modify and stage
the firewall configuration.
The edited ruleset is automatically validated by
.Nm
with
.Xr pfctl 8
on exiting the editor.
If the user entered pf configuration is incorrect on exiting the editor,
.Nm
will display a syntax error warning with each line number that fails the
syntax check.
.Pp
E.g. warning displayed by
.Cm pf edit
when the incorrect syntax is used.
.Bd -literal -offset indent
nsh(config-p)/pf edit
/var/run/pf.conf.0:15: syntax error
/var/run/pf.conf.0:17: syntax error
.Ed
Note! firewall configuration changes DO NOT take effect until the
.Cm pf reload
command is excecuted.
The editor used by
.Nm
can be customised to your preferred editor using the
EDITOR or VISUAL environment variables.
For packet filter configuration syntax, refer to
.Xr pf.conf 5 .
.Bd -literal -offset indent
nsh(p)/!man pf.conf
nsh(config-p)/pf edit
.Ed
.Pp
.Ic pf check-config
.Pp
The
.Cm pf check-config
command uses
.Ox
.Xr pfctl 8
to validate the syntax of the staged pf configuration.
If the staged pf configuration passes the syntax checker, the rules
will be displayed in order with their rule number.
If the staged pf configuration fails the syntax checker, the line
numbers with the syntax errors will be listed.
.Pp
.Ic pf reload
.Pp
The
.Cm pf reload
command uses
.Ox
.Xr pfctl 8
to validate the syntax of the staged pf configuration.
If the
.Cm pf edit
config passes,
.Nm
commits the new configuration atomically.
In other words
.Cm pf reload
checks firewall configuration using
.Ox
.Xr pfctl 8
and if the pf configuration passes
.Nm
commits the configuration so that it is active in the kernel.
If the user entered pf configuration is not correct.
.Nm
will issue warning listing the line numbers where the syntax is incorrect.
E.g. Example syntax warning issued by pf reload warning that there is an error
in lines 15 and 17 of the user entered pf configuration.
.Bd -literal -offset indent
nsh(config-p)/pf reload
/var/run/pf.conf.0:15: syntax error
/var/run/pf.conf.0:17: syntax error
pfctl: Syntax error in config file: pf rules not loaded
.Ed
.Pp
.Tg ospf
.Ic ospf
.Op Cm \&? | enable | disable | edit | reload | fib | log
Enable, disable or configure
.Xr ospfd 8 ,
the OSPF (Open Shortest Path First) daemon.
.Bd -literal -offset indent
nsh(config-p)/ospf enable
.Ed
.Pp
.Ic ospf edit
Edit the configuration of the OSPF daemon.
The edited ruleset is automatically validated on saving and exiting the
editor.
Note ospfd configuration changes DO NOT take effect until the "ospf reload"
command is entered.
The editor used by
.Nm
can be customised to your preferred editor using the
EDITOR or VISUAL environment variables.
For OSPF configuration syntax, refer to
.Xr ospfd.conf 5 .
.Bd -literal -offset indent
nsh(p)/!man ospfd.conf
nsh(config-p)/ospf edit
.Ed
.Pp
.Ic ospf reload
Reread and apply the OSPF configuration.
.Bd -literal -offset indent
nsh(config-p)/ospf reload
.Ed
.Pp
.Ic ospf fib
.Op Cm \&? | couple | decouple | reload
.Pp
Configure whether or not
.Xr ospfd 8
updates the forwarding information base (the active kernel routing tables).
this is an active control not a persistent configuration setting.
.\" TODO rewording attempted
See "fib-update" in
.Xr ospfd.conf 5
for more information.
The decouple feature is useful for monitoring OSPF networks without affecting
the routing table of the system.
OSPF decouple should only be done where there is only one link between the
system and the rest of the OSPF network.
The ospf fib reload command re fetches and relearns the routes in the FIB and
passes them to the ospfd daemon for processing.
.Bd -literal -offset indent
nsh(config-p)/ospf fib decouple
.Ed
.Pp
.Ic ospf log
.Op Cm \&? | verbose | brief
.Pp
Configure the detail level of
.Xr ospfd 8
logging messages.
Set ospf log verbose to enable detailed debug log output from ospfd.
set ospf log brief to disable detailed debug log output from ospfd.
.Bd -literal -offset indent
nsh(config-p)/ospf log verbose
.Ed
.Pp
.Tg eigrpd
.Tg eigrp
.Ic eigrp
.Op Cm  \&? | enable | disable | edit
.Op Cm options
.Pp
Enable or disable or configure the
.Xr eigrpd 8
Enhanced Interior Gateway Routing Protocol daemon.
The configuration of
.Ic eigrp
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic eigrp
daemon is documented in
.Xr eigrpd.conf 5
manual page.
Thre are a number of
.Cm options
that can be used to control the operation of
.Xr eigrpd 8
daemon, these options are documented in the
.Xr eigrpctl 8
manual page.
.Pp
.Tg bgpd
.Tg bgp
.Tg bgpctl
.Tg bgp
.Ic bgp
.Op Cm  \&? | enable | disable | edit
.Op Cm options
.Pp
Enable or disable or configure
.Xr bgpd 8 ,
the Border Gateway Protocol daemon.
Configuration of the
.Ic bgp
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr bgpd.conf 5 .
Thre are a number of
.Cm options
that can be used to control the operation of
.Xr bgpd 8 ,
documented in
.Xr bgpctl 8 .
.Pp
.Tg ripd
.Tg rip
.Ic rip
.Op Cm  \&? | enable | disable | edit
.Op Cm options
.Pp
Enable or disable or configure the
.Xr ripd 8
Routing Information Protocol daemon.
The configuration of
.Ic rip
daemon can be edited with
.Cm edit
command, the configuration syntax is documented in
.Xr ripd.conf 5 .
Thre are a number of
.Cm options
that can be used to control the operation of
.Xr ripd 8
daemon, these options are documented in
.Xr ripctl 8 .
.Pp
.Tg ldpd
.Tg ldp
.Ic ldp
.Op Cm  \&? | enable | disable | edit
.Op Cm options
.Pp
Enable or disable or configure the
.Xr ldpd 8
Label Distribution Protocol daemon.
The configuration of
.Ic ldp
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic ldp
daemon is documented in
.Xr ldpd.conf 5 .
Thre are a number of
.Cm options
that can be used to control the operation of
.Xr ldpd 8
daemon, these options are documented in
.Xr ldpctl 8 .
.Pp
.Tg relayd
.Tg relay
.Ic relay
.Op Cm  \&? | enable | disable | edit
.Op Cm options
.Pp
Enable or disable or configure the
.Xr relayd 8 ,
a load balancer and TLS termination daemon.
The configuration of
.Ic relay
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr relayd.conf 5 .
There are a number of
.Cm options
that can be used to control the operation of
.Xr relayd 8
daemon, these options are documented in
.Xr relayctl 8 .
.Pp
.Tg isakmpd
.Tg ipsec
.Ic ipsec
.Op Cm  \&? | enable | disable | edit | reload
.Pp
Enable or disable or configure the
.Xr isakmpd 8
Internet Key Exchange version 1 IKEv1 ISAKMP / Oakley daemon.
The configuration of
.Ic ipsec
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic ipsec
daemon is documented in
.Xr isakmpd.conf 5
and
.Xr ipsec.conf 5 .
.Pp
.Tg iked
.Tg ike
.Ic ike
.Op Cm  \&? | enable | disable | edit
.Op Ar options
.Pp
Enable or disable or configure the
.Xr iked 8
Internet Key Exchange version 2 IKEv2 daemon.
The configuration of
.Ic ike
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic ike
daemon is documented in
.Xr iked.conf 5 .
.Ar options
to control the
.Xr iked 8
daemon in a similar manner to
.Xr ikectl 8
i.e to force ike daemon to run in active mode or passive mode, or reload the
the daemon configuration.
These features are documented in
.Xr ikectl 8 .
.Pp
.Tg dvmrpd
.Tg dvmrp
.Ic dvmrp
.Op Cm  \&? | enable | disable | edit
.Pp
Enable or disable or configure the
.Xr dvmrpd 8
Distance Vector Multicast Routing Protocol daemon.
The configuration of
.Ic dvmrp
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic dvmrp
daemon is documented in
.Xr dvmrpd.conf 5
manual page.
.Pp
.Tg rad
.Ic rad
.Op Cm  \&? | enable | disable | edit
.Pp
Enable or disable or configure the
.Xr rad 8
Router Advertisement daemon for IPv6.
The configuration of
.Ic rad
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr rad.conf 5 .
.Pp
.Tg sasyncd
.Tg sasync
.Ic sasync
.Op Cm  \&? | enable | disable | edit
.Pp
Enable or disable or configure the
.Xr sasyncd 8
IPSec Security Association synchronisation daemon for failover gateways.
The configuration of
.Ic sasync
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic sasync
daemon is documented in
.Xr sasyncd.conf 5 .
.Bd -literal -offset indent
nsh(config-p)/sasync
% Arguments may be abbreviated

   enable  enable sasyncd service
   disable disable sasyncd service
   edit    edit,test and stage sasyncd config
.Ed
.Pp
.Tg dhcpd
.Tg dhcp
.Ic dhcp
.Op Cm  \&? | enable | disable | edit | restart
.Pp
Enable, disable, configure, or restart the
.Xr dhcpd 8
Dynamic Host Configuration Protocol daemon.
This daemon acts as a DHCP server.
The configuration of
.Ic dhcp
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic dhcp
daemon is documented in
.Xr dhcpd.conf 5 .
Configuration file changes will not take effect until
.Xr dhcpd 8
is restarted.
.Pp
.Tg snmpd
.Tg snmp
.Ic snmp
.Op Cm  \&? | enable | disable | edit
.Op Ar options
.Pp
Enable or disable or configure the
.Xr snmpd 8
Simple Network Monitoring Protocol daemon.
The configuration of
.Ic snmp
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic snmp
daemon is documented in
.Xr snmpd.conf 5
.Pp
.Tg ldapd
.Tg ldap
.Ic ldap
.Op Cm  \&? | enable | disable | edit
.Op Ar options
.Pp
Enable or disable or configure the
.Xr ldapd 8
Lightweight Directory Access Protocol daemon.
The configuration of
.Ic ldap
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic ldap
daemon is documented in
.Xr ldapd.conf 5 .
.Ar options
to control the
.Xr ldapd 8
daemon in a similar manner to
.Xr ldapctl 8
e.g. to set log verbose vs brief or to compact / re-index the LDAP database
are documented in
.Xr ldapctl 8 .
.Pp
.Tg smtpd
.Tg smtp
.Ic smtp
.Op Cm  \&? | enable | disable | edit
.Op options
.Pp
Enable or disable or configure the
.Xr smtpd 8
OpenSMTPD Simple Mail Transfer Protocol daemon.
The configuration of
.Ic smtp
daemon can be edited with
.Cm edit
command, the configuration syntax of
.Ic smtp
daemon is documented in
.Xr smtpd.conf 5
manual page.
.Pp
.Ar options
to control
.Xr smtpd 8
in a similar manner to
.Xr smtpctl 8
i.e pausing / resuming mta (mail transfer agents) / mda (mail delivery
agents) are documented in
.Xr smtpctl 8 .
.Pp
.Tg sshd
.Ic sshd
.Op Cm \&? | enable | disable | edit
.Pp
Enable or disable or configure the
.Xr sshd 8
OpenSSH secure shell daemon.
The configuration of
.Ic sshd
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr sshd_config 5 .
.Pp
.Tg ntpd
.Tg ntp
.Ic ntp
.Op Cm enable | disable | edit
.Pp
Enable or disable or configure the
.Xr ntpd 8
Open network time protocol daemon.
The configuration of
.Ic ntp
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr ntpd.conf 5 .
.Pp
.Tg npppd
.Tg nppp
.Ic nppp
.Op Cm \&? | enable | disable | session | monitor | edit
.Op Cm clear Ar \&? | all | ppp-id | address | interface | protocol | realm | \
username
.Op Cm session Ar \&? |all | brief | packets
.Op Cm monitor Ar \&? | all | ppp-id | address | interface | protocol | realm | \
username
.Pp
Enable or disable or configure the
.Xr npppd 8
new Point-to-Point Protocol daemon.
The
.Ic nppp
daemon supports termination of PPPoE, PPTP and L2TP PPP tunnels.
.Xr npppd 8
works with
.Xr pipex 4
for improved throughput through the ppp tunnels.
.Pp
The configuration of
.Ic nppp
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr npppd.conf 5 .
.Pp
.Tg ifstated
.Tg ifstate
.Ic ifstate
.Op Cm enable | disable | edit
.Pp
Enable or disable or configure the
.Xr ifstated 8
interface state daemon.
The configuration of
.Ic ifstate
daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr ifstated.conf 5 .
.Pp
.Tg ftp-proxy
.Ic ftp-proxy
.Op Cm enable | disable
Activate or deactivate the local ftp proxy on the system.
ftp-proxy in order to function properly requires pf to be enabled on the
system.
.Nm
starts ftp-proxy on 127.0.0.1 (rdomain 0) by default.
Redirect rules in pf must be used to direct outside traffic from any rdomain
to the local tftp daemon.
.Bl -dash
.It
e.g. enable ftp-proxy
.Bd -literal -offset indent
nsh(config-p)/ftp-proxy enable
.Ed
.El
.Pp
.Tg tftp-proxy
.Ic tftp-proxy
.Op Cm enable | disable
.Pp
Activate or deactivate the local tftp proxy on the system.
tftp-proxy in order to function properly requires pf to be enabled on the
system.
.Nm
starts tftp-proxy on 127.0.0.1 (domain 0), port 6969 by default.
Redirect rules in pf must be used to direct outside traffic from any rdomain
to the local tftp proxy.
.Bl -dash
.It
e.g. enable tftp-proxy and redirects needed to use it.
.Bd -literal -offset indent
nsh(config-p)/tftp-proxy enable
.Ed
.It
Add firewall rule in pf to divert tftp requests to tftp proxy
.Bd -literal -offset indent
nsh(config-p)/pf edit

pass in quick on $int_if inet proto udp from $lan to port tftp
divert-to 127.0.0.1 port 6969
pass out quick on $ext_if inet proto udp from $lan to port tftp
group proxy divert-reply
.Ed
.El
.Pp
.Tg tftp
.Ic tftp
.Op Cm enable | disable
.Pp
Enable or disable the tftp daemon.
.Nm
starts tftpd on 127.0.0.1, port 69 by default.
.Pp
.Tg resolv
.Ic resolv
.Op Cm enable | disable
.Pp
Enable or disable
.Xr resolvd 8 .
.Xr resolvd 8
is enabled by default and is required to learn DNS information over
DHCP and IPv6 RA.
If
.Xr resolvd 8
is disabled then the
.Xr resolv.conf 5
file must be maintained manually.
.Pp
.Tg nameserver
.Tg resolv.conf
.Op no
.Ic nameserver
.Ar IP-address1
.Op Ar IP-address2 ...  IP-address5
.Pp
Configure static DNS name resolution servers used by the system.
Up to 5 IPv4 and/or IPv6.
.Ar IP-address
arguments can be specified, which will then be added to
.Xr resolv.conf 5
via
.Xr resolvd 8 .
.Pp
The
.Cm no nameserver
command removes any previously configured static DNS servers.
.Pp
The
.Cm nameserver
command requires
.Xr resolvd 8
to be enabled.
DNS servers learned via DHCP or IPv6 RA are not affected by the
.Cm nameserver
command.
.Pp
.Tg inetd
.Tg inet
.Ic inet
.Op Cm enable | disable | edit
.Pp
Enable or disable or configure the
.Xr inetd 8
inet superserver daemon.
The configuration of inet daemon can be edited with
.Cm edit
command, the syntax is documented in
.Xr inetd.conf 8 .
.Pp
.Tg ping
.Ic ping
.Op options
.Ar host
.Pp
Send ICMP ECHO_REQUEST packets to an IPv4 network
.Ar host ,
specified by name or IPv4 address.
The
.Ar options
are documented in the
.Xr ping 8 .
.Pp
.Tg ping6
.Ic ping6
.Op options
.Ar host
.Pp
Send ICMP ECHO_REQUEST packets to an IPv6 network
.Ar host ,
specified by name or IPv6 address.
The
.Ar options
are documented in the
.Xr ping6 8
manual page.
.Pp
.Tg traceroute
.Ic traceroute
.Op options
.Ar host
.Pp
Trace and print the route packets take to an IPv4 network
.Ar host ,
specified by name or IP address.
The
.Ar options
are documented in
.Xr traceroute 8 .
.Pp
.Tg traceroute6
.Ic traceroute6
.Op options
.Ar host
.Pp
Trace and print the route packets take to an IPv6 network
.Ar host ,
specified by name or IP address.
The
.Ar options
are documented in
.Xr traceroute6 8 .
.Pp
.Tg ssh
.Ic ssh
.Op Ar options
.Op Ic -p Ar port
.Ar host
.Pp
Open a OpenSSH
.Xr ssh 1
session to the remote system
.Ar host ,
specified by name or IP address.
The
.Ar port
is the TCP port on the remote host which you wish to connect.
The
.Ar options
are documented in
.Xr ssh 1 .
.Pp
.Tg telnet
.Ic telnet
.Op Ar options
.Op Ar host
.Op port
.Pp
Open a
.Xr telnet 1
session to the given TCP
.Ar port
on the remote server
.Ar host ,
specified by name or IP address.
If the port is not specified the IANA assigned port 23 for telnet will be
used.
The
.Ar options
are documented in
.Xr telnet 1 .
.Pp
.Tg crontab
.Ic crontab Op Cm edit | install
.Pp
Edit the configuration of scheduled background jobs which are
managed by
.Xr cron 8 .
Only the crontab file of the root user can be edited.
See the
.Xr crontab 5
man page for information about configuration file syntax.
.Pp
.Nm
stores a private copy of the root user's crontab in
.Pa /var/run/crontab.0 .
The
.Cm crontab edit
command edits this file and then installs it to the system by running the
.Xr crontab 1
command.
.Pp
The
.Cm crontab install
command skips editing but otherwise has the same effect.
This command can be used to overwrite the system crontab in case it has
become out of sync with the copy managed by
.Nm .
.Pp
.Tg scheduler
.Ic scheduler Op Cm edit | install
.Pp
The
.Cm scheduler
command is an alias for the
.Cm crontab
command described above.
.Pp
.Tg logger
.Tg syslog
.Tg log
.Tg message
.Ic logger
.Ar log message
.Pp
The logger command allows the user to enter arbitary messages into
the system log.
It can be useful to mark external events of note for diagnostics
and context in analysis later on.
See
.Xr logger 1
for more information.
.Bl -dash
.It
E.g recording a power outage in the log for future reference.
.Bd -literal -offset indent
nsh(config-p)/logger power failure in facility
nsh(config-p)/logger interface drops due to unprotected devices
nsh(config-p)/!tail /var/log/messages
Sep  8 13:03:30 tobsd /bsd: scsibus2 at vscsi0: 256 targets
Sep  8 13:03:30 tobsd /bsd: softraid0 at root
Sep  8 13:03:30 tobsd /bsd: scsibus3 at softraid0: 256 targets
Sep  8 13:03:30 tobsd /bsd: root on sd0a (619d721c1c3c871d.a) swap on sd0b dump on sd0b
Sep  8 13:03:30 tobsd savecore: /dev/sd0b: Device busy
Sep  8 13:03:55 tobsd reorder_kernel: kernel relinking done
Sep  8 15:05:06 tobsd tom: power failure in facility
Sep  8 15:05:37 tobsd tom: interface drops due to unprotected devices
.Ed
.El
.Pp
.Tg reboot
.Tg restart
.Tg reload
.Ic reboot
.Pp
Restart the system.
.Nm
when processing the command will warn the user if there are
unsaved changes to the running-config.
The user will be prompted to confirm the reboot in any case.
The command requires
.Nm
to be in privileged mode and requires root user privileges.
.Bl -dash
.It
E.g. restart the system
.Bd -literal -offset indent
nsh(config-p)/reboot
% WARNING: The running configuration contains unsaved changes!
% The 'show diff-config' command will display unsaved changes.
% The 'write-config' command will save changes to /etc/nshrc.
Proceed with reboot? [yes/no]
.Ed
.El
.Pp
.Tg reboot
.Tg restart
.Tg reload
.Ic reload
.Pp
an alias for the reboot command above.
.Nm
when processing the command will warn the user if there are
unsaved changes to the running-config.
The user will be prompted to confirm the reboot in any case.
The command requires
.Nm
to be in privileged mode and requires root user privileges.
.Bl -dash
.It
E.g. restart the system
.Bd -literal -offset indent
nsh(config-p)/reload
% WARNING: The running configuration contains unsaved changes!
% The 'show diff-config' command will display unsaved changes.
% The 'write-config' command will save changes to /etc/nshrc.
Proceed with reboot? [yes/no]
.Ed
.El
.Pp
.Tg halt
.Ic halt
Shut down the system.
The system will halt and then wait for a key to be pressed on the
console before rebooting.
Requires
.Nm
to be in privileged mode and requires root user privileges.
.Bl -dash
.It
e.g. shutdown the system
.Bd -literal -offset indent
nsh(p)/halt
% Shutdown initiated
.Ed
.El
.Pp
.Tg powerdown
.Ic powerdown
Shut down the system and then turn off power.
Restarting the system will require access to the power-on button.
Requires
.Nm
to be in privileged mode and requires root user privileges.
.Bl -dash
.It
e.g. power the system down
.Bd -literal -offset indent
nsh(p)/powerdown
% Shutdown initiated
.Ed
.El
.Pp
.Tg write-config
.Ic write-config
.Pp
Save the running configuration to the permanent configuration space.
On the next startup of the system, this saved configuration is used.
.Bl -dash
.It
e.g. save the configuration on the system
.Bd -literal -offset indent
nsh(p)/write-config
% Configuration saved
.Ed
.El
.Pp
.Tg verbose
.Op no
.Ic verbose
.Pp
Verbose mode sets
.Nm
to display extra information on entered commands.
It is useful during a diagnostic and troubleshooting session.
.Bl -dash
.It
E.g. enable verbose output
.Bd -literal -offset indent
nsh/verbose
% Diagnostic mode enabled
.Ed
.It
If you do not wish to have the extra information displayed, you may
disable verbose mode.
.Bd -literal -offset indent
nsh/no verbose
% Diagnostic mode disabled
.Ed
.El
.Tg show
.Ic show
.Op hostname | interface | autoconf | ip | inet | inet6 | route | route6\
 | sadb | arp | ndp | vlan | kernel | bgp | ospf | ospf6 | pf | eigrp | rip\
 | ldp | ike | ipsec | dvmrp | relay | dhcp | smtp | ldap | monitor\
 | version | users | crontab | running-config | startup-config\
 | system-stats |\&? | help
.Pp
The main diagnostic and informational command is 'show'.
show without arguments  displays the available diagnostic show sub commands.
.Bl -dash
.It
E.g using show and its built in help
.Bd -literal -offset indent
nsh(p)/show
% Commands may be abbreviated.
% 'show' commands are:

  hostname        Router hostname
  interface       Interface config
  autoconf        IPv4/IPv6 autoconf state
  ip              IP address information
  inet            IPv4 address information
  inet6           IPv6 address information
  route           IPv4 route table or route lookup
  route6          IPv6 route table or route lookup
  sadb            Security Association Database
  arp             ARP table
  ndp             NDP table
  vlan            802.1Q/802.1ad VLANs
  bridge          Ethernet bridges
  kernel          Kernel statistics
  bgp             BGP information
  ospf            OSPF information
  ospf6           OSPF6 information
  pf              Packet Filter firewall information
  eigrp           EIGRP information
  rip             RIP information
  ldp             LDP information
  ike             IKE information
  ipsec           IPsec information
  dvmrp           DVMRP information
  relay           Relay server
  dhcp            DHCP server
  smtp            SMTP server
  ldap            LDAP server
  monitor         Monitor routing/arp table changes
  system-stats    System, firewall and kernel statistics
  version         Software information
  users           System users
  crontab         Scheduled background jobs
  running-config  Operating configuration
  startup-config  Startup configuration
  ?               Options
nsh(p)/
.Ed
.El
.Pp
.Ic show hostname
.Pp
Display the system's currently assigned hostname.
.Bl -dash
.It
e.g. display the name of the device
.Bd -literal -offset indent
nsh(p)/show hostname
% devicename.com
.Ed
.El
.Pp
.Tg interface
.Ic show interface
.Op Ar interface-name
.Op Cm status
.Pp
Display essential information about the system network interfaces including
any network bridges / switches.
show interface without any arguments displays information about all
interfaces available on the system.
The
.Cm status
keyword shows a useful summary (including the Name, Admin Status, Link
state, and Media type) of each hardware and other
configured network interfaces on the system.
.Pp
show interface
.Ar interface-name
Display information about a specific interface.
.Bl -dash
.It
e.g. display information about the loopback interface.
.Bd -literal -offset indent
nsh/show interface lo0
% lo0
  Interface is up (last change 22:07:02), protocol is up
  Interface type Loopback
  Internet address ::1/128, fe80::1%lo0/64, 127.0.0.1/8
  rdomain 0, MTU 32768 bytes
  4 packets input, 160 bytes, 0 errors, 0 drops
  4 packets output, 160 bytes, 0 errors, 0 unsupported
.Ed
.It
"Interface is up" means that the interface is turned on in software.
"Protocol is up" means that the interface is configured and ready to run.
The "Interface type" explains what the interface is used for on
the system.
Some interfaces are not intended to pass traffic for network users, and instead
handle internal functions on the system.
See
.Xr ifconfig 8
for more information on interface types supported by
.Ox .
.It
"Internet address" shows the IPv4 and IPv6 addresses configured for the
interface, if any.
IPv6 addresses with a % sign are "link-local" and not valid outside of the
context of the interface name specified.
MTU describes the Maximum Transmission Unit, the largest size of a packet which
the kernel can transmit on this interface.
.It
The statistics show the number of packets, bytes, errors, and dropped packets
in both incoming and outgoing directions.
The average input/output sizes describe the median size of packets going in
and out the interface.
Note that the total bytes in and/or out may not be accurate.
.Ox
uses an unsigned long type to hold the byte count.
When the byte count exceeds the storage limit of an unsigned long
(4,294,967,295 on a 32 bit architecture or 18,446,744,073,709,551,615
on a 64-bit architecture), the counter will overflow, causing it to roll over
to 0.
The average packet size is inaccurate when the total byte count rolls
over, because the total number of packets reflects bytes that are no
longer counted.
.It
With verbose mode enabled, 'show interface' displays the raw kernel flags
for an interface.
See
.Xr ifmedia 4
for an explanation of these flags.
.Bd -literal -offset indent

nsh(p)/show interface lo0
% lo0
  Interface is up (last change 22:13:28), protocol is up
  Interface type Loopback
  Internet address ::1/128, fe80::1%lo0/64, 127.0.0.1/8
  rdomain 0, MTU 32768 bytes
  4 packets input, 160 bytes, 0 errors, 0 drops
  4 packets output, 160 bytes, 0 errors, 0 unsupported
  Flags:
    <UP,LOOPBACK,RUNNING,MULTICAST>
  Hardware features:

.Ed
.It
With a bridge, verbose mode displays spanning tree member states and bridge
members.
.Bd -literal -offset indent
nsh/show int bridge0
% bridge0
  Bridge is up (last change 00:00:21), protocol is up
  Interface type Ethernet Bridge
  0 packets input, 0 bytes, 0 errors, 0 drops
  0 packets output, 0 bytes, 0 errors, 0 unsupported
  Flags:
    <UP,RUNNING>
  STP member state:
    sis0: listening

.Ed
.It
With an IEEE 802.11 wireless interface, verbose mode displays the network ID,
network key, and power-saving mode (if enabled).
.Bd -literal -offset indent
nsh/show int athn0
% athn0
  BLah blah
  IEEE 802.11
    network id blah
    network key blah
    powersaving (111 ms)

.Ed
.It
With an interface that supports media commands, including Ethernet and
IEEE 802.11 wireless interfaces, verbose mode displays which media types are
available.
.Bd -literal -offset indent
nsh/show int sis0
% sis0
  Supported media types:
    media none
    media 10baseT
    media 10baseT, mediaopt full-duplex
    media 100baseTX
    media 100baseTX, mediaopt full-duplex
    media autoselect

.Ed
.El
e.g. briefly list the status of all interfaces on the system.
.Bd -literal -offset indent
nsh(p)/show interface status
% Name    Status  Link            Media
  lo0     up      -
  em0     up      active          Ethernet 1000baseT full-duplex
  enc0    down    active
  pflog0  up      -
  tpmr1   up      active
  vether1 up      active          Ethernet
  vether2 up      active          Ethernet
  vether10 up      active          Ethernet
  vether11 up      active          Ethernet
  bridge101 up      -
  vether20 up      active          Ethernet
  vether21 up      active          Ethernet
  veb201  up      -
nsh(p)/
.Ed
.Pp
.Tg autoconf
.Ic show autoconf
.Pp
Display the interfaces on the system that are dynamically configured and the
current state and configured settings such as IP addresses, routes
nameservers and the server that the system recieved the autoconf settings from.
.Pp
e.g. list current autoconfiguration state of the system.
.Bd -literal -offset indent
nsh(p)/show autoconf
em0 [Bound]
	inet 10.0.2.15 netmask 255.255.255.0
	default gateway 10.0.2.2
	nameservers 10.0.0.1 192.168.0.1
	lease 17 hours
	dhcp server 10.0.2.2
.Ed
.Pp
.Tg ip
.Tg inet
.Tg inet6
.Cm show
.Op ip | inet | inet6
.Pp
Display the IP addresses on all interfaces, their respective rdomains and
where the ip address was configured from on the system including:
.Bl -dash
.It
static
.It
dhcp
.It
ppp
.It
link-local
.El
.Pp
E.g show all ipv4 and IPv6 adddresses on the system
.Bd -literal -offset indent
nsh(p)/show ip
Address      Interface  RDomain  Type
10.0.2.15    em0              0  dhcp
10.10.10.10  em1            200  static
127.0.0.1    lo0              0  static
127.0.0.1    lo0            200  static
::1          lo0              0  static
::1          lo200          200  static
fe80:4::1    lo0              0  link-local
nsh(p)/
.Ed
E.g. show only IPv4 addresses on the system.
.Bd -literal -offset indent
nsh(config-p)/show inet
Address      Interface  RDomain  Type
10.0.2.15    em0              0  dhcp
10.10.10.10  em1            200  static
127.0.0.1    lo0              0  static
127.0.0.1    lo200          200  static
.Ed
E.g. show only IPv6 addresses on the system.
.Bd -literal -offset indent
sh(config-p)/show inet6
Address    Interface  RDomain  Type
::1        lo0              0  static
::1        lo200          200  static
fe80:4::1  lo0              0  link-local
.Ed
.Pp
.Tg route
.Ic show route
.Pp
Display a dump of the kernel's IPv4 routing table, including ARP entries.
.Pp
e.g. display contents of the IPv4 routing table.
.Bd -literal -offset indent
nsh/show route
Flags: U - up, G - gateway, H - host, L - link layer, R - reject (unreachable),
       D - dynamic, S - static

% IPv4 routing table:

Destination     Gateway           Flags  Refs  Packets    Mtu  Interface
0.0.0.0/0       172.20.1.1        UGS      3     57502      -   sis0
127.0.0.0/8     127.0.0.1         UGRS     0         0  33224   lo0
127.0.0.1       127.0.0.1         UH       2        12  33224   lo0
172.20.1.0/24   link#1            U        0         0      -   sis0
172.20.1.1      8:0:20:71:22:e7   UHL      1         0      -   sis0
172.20.1.2      127.0.0.1         UGHS     0         0  33224   lo0
172.20.1.23     link#1            UHL      1      1764      -   sis0
172.20.1.255    link#1            UHL      2      1555      -   sis0
224.0.0.0/4     127.0.0.1         URS      0         0  33224   lo0
.Ed
.Bl -dash
.It
The destination column is simply the destination network which the route
describes.
The gateway is the next hop for this route to pass through.
Gateways which are described as 'link#' are local area networks or members of
local area networks.
.It
The flags are useful to determine if the kernel is using a particular
route or not.
.It
U - up
  This route is active
G - gateway
  The destination of this route is behind a gateway (next hop).
H - host
  This route describes a host on the local network.
L - link layer
  The destination has been or needs to be discovered through a layer 2 protocol
R - reject
  This route is unreachable, and therefore marked unusable in the kernel
D - dynamic
  This is a dynamic route which has is managed through routing software on
  the local system (such as ripd, ospfd or bgpd)
S - static
  This is a static route set by a user
.El
.Pp
.Tg route6
.Ic show route6
.Pp
Display a dump of the kernel's IPv6 routing table, including neighbour entries.
.Pp
e.g. display contents of the IPv6 routing table.
.Bd -literal -offset indent
nsh(p)/show route6
Flags: U - up, G - gateway, H - host, L - link layer, R - reject (unreachable),
       D - dynamic, S - static, T - MPLS, c - CLONED, l - LOCAL

% IPv6:
Destination         Gateway        Flags    Refs    Use    Mtu  Interface
::/96               ::1            UGRS        0      0  32768   lo0
::1                 ::1            UH         10     20  32768   lo0
::ffff:0.0.0.0/96   ::1            UGRS        0      0  32768   lo0
2002::/24           ::1            UGRS        0      0  32768   lo0
2002:7f00::/24      ::1            UGRS        0      0  32768   lo0
2002:e000::/20      ::1            UGRS        0      0  32768   lo0
2002:ff00::/24      ::1            UGRS        0      0  32768   lo0
fe80::/10           ::1            UGRS        0      0  32768   lo0
fec0::/10           ::1            UGRS        0      0  32768   lo0
fe80::1%lo0         fe80::1%lo0    UH          0      0  32768   lo0
ff01::/16           ::1            UGRS        0      0  32768   lo0
ff01::%lo0/32       fe80::1%lo0    U           0      1  32768   lo0
ff02::/16           ::1            UGRS        0      0  32768   lo0
ff02::%lo0/32       fe80::1%lo0    U           0      1  32768   lo0
nsh(p)/
.Ed
.Pp
.Tg sadb
.Tg ipsec
.Ic show sadb
.Pp
Display the IPSEC security association database of the system.
.Pp
.Tg arp
.Ic show arp
.Pp
Display Address Resolution Protocol table of the system, listing
IPv4 to layer2 mac-address entries, the interfaces they were learned on and the
expiry of each interfaces.
Locally configured IPv4 addresses appear as permanent arp entries.
.Pp
e.g. display contents of the arp table.
.Bd -literal -offset indent
nsh(p)/show arp
Host           Ethernet Address   Netif Expire     Flags
10.0.2.2       52:54:00:12:35:02    em0 2m14s
10.0.2.15      08:00:27:bd:cb:77    em0 permanent  l
nsh(p)/
.Ed
.Pp
.Tg ndp
.Ic show ndp
.Pp
Display Neighbour Discovery Protocol NDP table.
Neighbour Discovery Protocol database of the system, listing
IPv6 to layer2 mac-address entries, the interfaces they were learned on and the
expiry of each interfaces.
Locally configured IPv6 addresses appear as permanent ndp entries.
.Pp
e.g. display contents of the ndp table.
.Bd -literal -offset indent
nsh(p)/show ndp
Neighbor                       Linklayer Address   Netif Expire    S Flags
fe80::a00:27ff:febd:cb77%em0   08:00:27:bd:cb:77     em0 permanent R l
fe80::cafe:babe:beef:face%em0  52:54:00:12:35:02     em0 17m03s
nsh(p)/
.Ed
.Pp
.Tg vlan
.Ic show vlan
.Op vlan-id
.Op <rangestart-vlan-id> <range-end-vlan-id>
.Pp
Display all virtual local area network interfaces configured on the system.
It Lists the following:
.Bl -dash
.It
the vlan interface name
.It
the vlan's parent interfaces
.It
the status of the interface
.It
the rdomain of the interface
.It
any layer2 forwarding device the vlan interface is a member of
.It
the vlan interface description.
.El
List of vlans displayed can be restricted to an individual vlan if its vlan-id
is supplied as an optional argument.
The vlans displayed can be restricted to a range of vlans if the start and end
vlan-id are supplied as 2 optional consequitive arguments in ascending order.
.Pp
E.g. display all vlan interfaces on the system
.Bd -literal -offset indent
nsh(p)/show vlan
% Interface  Tag   Status  Type    RDomain  Parent  Bridge   Description
  vlan4093   4093  up      802.1Q      200  em1     -        Chris-VLAN
  vlan100    100   up      802.1Q        0  em1     -        Stefan-VLAN
  vlan200    200   up      802.1Q      200  em1     tpmr100  Tom-VLAN
nsh(p)/
.Ed
e.g. display information on all vlans with vnetid/tag of 200.
.Bd -literal -offset indent
nsh(p)/show vlan 200
% Interface  Tag   Status  Type     RDomain   Parent    Bridge   Description
  vlan200    200   up      802.1Q       200   em1       tpmr100  Tom-VLAN
nsh(p)/
.Ed
.Pp
E.g. show vlan interfaces with vlan-ids the range 100 to 4093
.Bd -literal -offset indent
nsh(p)/show vlan 100 4093
% Interface  Tag   Status  Type    RDomain  Parent  Bridge   Description
  vlan4093   4093  up      802.1Q      200  em1     -        Chris-VLAN
  vlan200    200   up      802.1Q      200  em1     tpmr100  Tom-VLAN
.Ed
.Pp
.Tg bridge
.Tg veb
.Tg tpmr
.Ic show bridge
.Op bridge-interface | veb-interace | tpmr-interface
.Pp
Without specifying an argument, it displays all layer2 forwarding
devices configured on the system, and all members of each layer2
forwarding device, and any description of the layer2 forwarding
device.
Layer 2 forwarding devices supported by this command include
.Xr bridge 4
standard bridge,
.Xr veb 4
virtual ethernet bridge
and the
.Xr tpmr 4
two port mac relay device.
.Pp
e.g. Display all layer2 forwarding devices and their member ports
.Bd -literal -offset indent
nsh(p)/show bridge
% Bridge    Status  Member Interfaces
  bridge1   down
            Description: -
  bridge100 up      vlan100
            Description: Tom-Smyths-Bridge
  veb200    up      vlan200
            Description: Chris-Cappuccios-Bridge
  tpmr102   up      vether1102 vether2102
            Description: dlg-bridge
nsh(p)/
.Ed
e.g. Display the information the tpmr102 layer2 forwarding device
.Bd -literal -offset indent
nsh(p)/show bridge tpmr102
% Bridge    Status  Member Interfaces
  tpmr102   up      vether1102 vether2102
            Description: 2PortMacRelay-bridge-102
.Ed
.Pp
.Tg kernel
.Tg ip
.Tg ah
.Tg esp
.Tg tcp
.Tg icmp
.Tg igmp
.Tg ipcomp
.Tg route
.Tg carp
.Tg mbuf
.Tg pf
.Ic show kernel
.Op Ar ip | ah | esp | tcp | icmp | igmp | ipcomp | route | carp | mbuf | pf
.Pp
Display kernel statistics available for query.
Display kernel statistics as selected by the argument.
Executing show kernel without an argument lists all available statistics
.Pp
e.g. show available kernel statistics.
.Bd -literal -offset indent
nsh(p)/show kernel
% Arguments may be abbreviated

  show kernel ip     Internet Protocol statistics
  show kernel ah     Authentication Header statistics
  show kernel esp    Encapsulated Security Payload statistics
  show kernel tcp    Transmission Control Protocol statistics
  show kernel udp    Unreliable Datagram Protocol statistics
  show kernel icmp   Internet Control Message Protocol statistics
  show kernel igmp   Internet Group Management Protocol statistics
  show kernel ipcomp IP Compression statistics
  show kernel route  Routing statistics
  show kernel carp   Common Address Redundancy Protocol statistics
  show kernel mbuf   Packet memory buffer statistics
  show kernel pf     Packet Filter statistics
nsh(p)/
.Ed
.Pp
e.g. show packet filter kernel statistics
.Bd -literal -offset indent
nsh(p)/show kernel pf
% pf statistics:
Status: Enabled for 0 days 23:58:32              Debug: err

State Table                          Total             Rate
  current entries                        7
  half-open tcp                          0
  searches                          284973            3.3/s
  inserts                              836            0.0/s
  removals                             829            0.0/s
Counters
  match                                841            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              1            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  translate                              0            0.0/s
  no-route                               0            0.0/s
nsh(p)/
.Ed
.Pp
.Tg ip
.Tg route
.Tg bgp
.Ic show bgp
.Op Ar announced | interfaces | nexthop | summary | rib | neighbor | ip
.Pp
Display status for
.Xr bgpd 8
Border Gateway Protocol BGPv4 dynamic routing on this system.
e.g. show bgp
.Bd -literal -offset indent
nsh(p)/show bgp
% Arguments may be abbreviated

  show bgp announced  All announced networks information
  show bgp interfaces Interface states information
  show bgp nexthop    BGP nexthop routes information
  show bgp summary    Neighbor session states and counters information
  show bgp rib        Routing Information Base information
  show bgp neighbor   Detailed peer information
  show bgp ip         IP BGP information
nsh(p)/
.Ed
.Pp
.Tg ip
.Tg ospf
.Tg route
.Ic show ospf
.Op Ar fib | database | interfaces | neighbor | rib | summary
.Pp
Display the state of
.Xr ospfd 8
Open Shortest Path First OSPF dynamic links state routing
protocol for IPv4 on this system.
.Bd -literal -offset indent
nsh(p)/show ospf
% Arguments may be abbreviated

  show ospf fib        Forward Information Base information
  show ospf database   Link State Database information
  show ospf interfaces Interface information
  show ospf neighbor   Neighbor information
  show ospf rib        Routing Information Base information
  show ospf summary    Summary information
nsh(p)/
.Ed
.Pp
.Tg ospf6
.Tg ospfv3
.Tg route6
.Ic show ospf6
.Op Ar fib | database | interfaces | neighbor | rib | summary
.Pp
Display the state of
.Xr ospf6d 8
Open Shortest Path First OSPFv3 daemon for dynamic links state
routing protocol for IPv6 on this system.
.Bd -literal -offset indent
nsh(p)/show ospf6
% Arguments may be abbreviated

  show ospf6 fib        Forward Information Base information
  show ospf6 database   Link State Database information
  show ospf6 interfaces Interface information
  show ospf6 neighbor   Neighbor information
  show ospf6 rib        Routing Information Base information
  show ospf6 summary    Summary information
nsh(p)/
.Ed
.Pp
.Tg pf
.Ic show pf
.Op Ar all | anchors | info | labels | memory | queues | rules | sources |
 states | tables | timeouts | osfingerprint | interfaces
.Pp
Display the status of
.Xr pf 4
.Ox
Packet Filter firewall.
.Nm uses
.Xr pfctl 8
with the -s (show) command with modifier arguments to display various aspects
the current pf status on the system.
.Bd -literal -offset indent
nsh(p)/show pf
% Arguments may be abbreviated

  show pf all           all pf info except fingerprints and interfaces information
  show pf anchors       currently loaded anchors in main pf ruleset information
  show pf info          pf filter statistics, counters and tracking information
  show pf labels        per rule stats (bytes, packets and states) information
  show pf memory        current pf pool memory hard limit information
  show pf queues        currently loaded pf queue definition information
  show pf rules         active pf firewall rule information
  show pf sources       contents of the pf source tracking table information
  show pf states        contents of the pf state table information
  show pf tables        pf table information
  show pf timeouts      current pf global timeout information
  show pf osfingerprint pf Operating System fingerprint information
  show pf interfaces    pf usable interfaces/ interface group information
nsh(p)/
.Ed
.Tg eigrp
.Ic show eigrp
.Op Ar interfaces | neighbor | topology | traffic
.Pp
Display the status of
.Xr eigrpd 8
Enhanced Interior Gateway Routing Protocol (EIGRP) daemon.
.Bd -literal -offset indent
nsh(p)/show eigrp
% Arguments may be abbreviated

  show eigrp interfaces Interface information
  show eigrp neighbor   Neighbor information
  show eigrp topology   Topology information
  show eigrp traffic    Traffic information
nsh(p)/
.Ed
.Pp
.Tg rip
.Ic show rip
.Op Ar fib | interfaces | neighbor | rib
.Pp
Display the status of
.Xr ripd 8
Routing Information Protocol RIP daemon for dynamic
distance vector routing protocol on this system.
.Bd -literal -offset indent
nsh(p)/show rip
% Arguments may be abbreviated

  show rip fib        Forward Information Base information
  show rip interfaces Interfaces information
  show rip neighbor   Neighbor information
  show rip rib        Routing Information Base information
nsh(p)/
.Ed
.Pp
.Tg mpls
.Tg ldp
.Tg label
.Tg l2vpn
.Ic show ldp
.Op Ar fib | interfaces | neighbor | lib | discovery | l2vpn
.Pp
Display information on the status of
.Xr ldpd 8
Label Distribution protocol LDP routing daemon for MPLS Multi
Protocol label Switching on this system.
.Bd -literal -offset indent
nsh(p)/show ldp
% Arguments may be abbreviated

  show ldp fib        Forward Information Base information
  show ldp interfaces Interfaces information
  show ldp neighbor   Neighbors information
  show ldp lib        Label Information Base information
  show ldp discovery  Adjacencies information
  show ldp l2vpn      Pseudowire information
nsh(p)/
.Ed
.Pp
.Tg ipsec
.Tg ike
.Tg ikev2
.Tg flow
.Tg sa
.Tg sadb
.Ic show ike
.Op Ar monitor
.Pp
Display Information on the Internet Key Exchange IKEv2 daemon on
this system.
.Pp
.Ic show ipsec
.Op Ar flows | sadb
.Pp
Display IPSECurity information related to either IPSEC flows or the
Security Association Database on the system.
.Pp
.Tg dvmrp
.Tg multicast
.Tg igmp
.Ic show dvmrp
.Op Ar igmp | interfaces | mfc | neighbor | rib | summary
.Pp
Display status information from
.Xr dvmrpd 8
the Distance Vector Multicast Routing Protocol (DVMRP) daemon.
.Bd -literal -offset indent
nsh(p)/show dvmrp
% Arguments may be abbreviated

  show dvmrp igmp       Internet Group Message Protocol information
  show dvmrp interfaces Interfaces information
  show dvmrp mfc        Multicast Forwarding Cache information
  show dvmrp neighbor   Neighbor information
  show dvmrp rib        Routing Information Base information
  show dvmrp summary    Summary information
nsh(p)/
.Ed
.Tg relay
.Tg relayd
.Ic relay
.Op Ar hosts | redirects | status | sessions | summary
.Pp
Display status information from
.Xr relayd 8
daemon for loadbalancing, TLS termination and content switching.
.Bd -literal -offset indent
nsh(p)/show relay
% Arguments may be abbreviated

  show relay hosts     hosts information
  show relay redirects redirects information
  show relay status    status information
  show relay sessions  sessions information
  show relay summary   summary information
nsh(p)/
.Ed
.Pp
.Tg dhcp
.Tg ip
.Tg lease
.Ic show dhcp
.Op Ar leases
Display leases recored in the lease database as handed out by
.Xr dhcpd 8
Dynamic Host Configuration Protocol (DHCP) daemon.
.Pp
.Tg ldap
.Tg auth
.Ic show ldap
.Op Ar stats
Display statistics from
.Xr ldapd 8
Lightweight Directory Access Protocol (LDAP) daemon.
.Pp
.Ic show monitor
.Pp
Start an interactive console monitor mode for the system's routing socket.
The monitor displays raw descriptions of the data passing into the kernel's
routing socket and dumps of the kernel's routing messages to the machine.
Press enter or control-C to exit this mode.
.Pp
.Tg show
.Tg stat
.Tg systat
.Tg statistics
.Ic show system-stats
.Op bucket | mbuf | pigs | sensors | virtual-memory\
 | cpu | net | pool | states\
 | interface | packet-filter | queues | swap\
 | malloc | pcache | rules | uvm
.Pp
.Cm show
.Cm system-stats
displays various system statistics using curses display and the
.Xr systat 1
command with the -d 3 option set, the behaviour of the command in
.Nm .
is to display 3 screens of data and then return back to
.Nm .
.Bd -literal -offset indent
nsh(p)/show system-stats
% Arguments may be abbreviated

  show system-stats interface      Interface information
  show system-stats net            Network connection information
  show system-stats mbuf           Network data memory buffer info
  show system-stats queues         Active Packet Filter queue info
  show system-stats rules          Active Packet Filter rule info
  show system-stats states         Packet Filter connection state info
  show system-stats packet-filter  Packet Filter information
  show system-stats sensors        Supported hardware sensor readings
  show system-stats pigs           CPU resource hog program info
  show system-stats virtual-memory Virtual memory usage information
  show system-stats cpu            CPU usage information
  show system-stats uvm            UVM subsystem information
  show system-stats swap           Swap space usage information
  show system-stats pool           Kernel pool usage information
  show system-stats pcache         Kernel pool per CPU cache info
  show system-stats malloc         Kernel memory allocation type info
  show system-stats bucket         Kernel malloc bucket information
nsh(p)/show system-stats
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg interface
.Ic show system-stats interface
.Pp
Display network interface statistics from
.Xr systat 1
the output is the same as the
.Xr systat 1
command with the ifstat argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats interface
   0 users Load 0.03 0.05 0.01                      nsh 22:36:37

IFACE     STATE DESC     IPKTS IBYTES IFAILS  OPKTS OBYTES OFAILS
em0       up:U               0      0      0      0      0      0
em1       dn:U               0      0      0      0      0      0
enc0      dn:U               0      0      0      0      0      0
lo0       up                 0      0      0      0      0      0
pflog0    up                 0      0      0      0      0      0
Totals                       0      0      0      0      0      0
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg net
.Tg netstat
.Ic show system-stats net
.Pp
Display network connections.
Each address is displayed numerically in the format "hostip:port"
The output is the same as the
.Xr systat 1
command with the netstat argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats net
   0 users Load 0.03 0.04 0.00                    nsh 22:39:37

LOCAL ADDRESS    FOREIGN ADDRESS    PROTO   RECV-Q  SEND-Q STATE
10.0.2.15:23041  10.4.90.13:123     udp          0       0
10.0.2.15:12678  10.4.89.13:123     udp          0       0
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg mbuf
.Ic show system-stats mbuf
.Pp
Display mbuf usage information from kernel pools and mbuf cluster pool
statistics of each network interface.
This command is the equivalent of running the
.Xr systat 1
command with the mbuf argument
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats mbuf
   0 users Load 0.52 0.37 0.17                     nsh 23:27:47

IFACE            RING    LIVELOCKS  SIZE ALIVE   LWM   HWM   CWM
System           mbufs           0   256    95           9
                 mcl2k              2048     0           3
                 mcl2k2             2112    18           3
                 mcl4k              4096     0           3
                 mcl8k              8192     0           3
                 mcl9k              9216     0           1
                 mcl12k            12288     0           2
                 mcl16k            16384     0           3
                 mcl64k            65536     0           3
lo0
em0                                 2050    18    16   256    18
em1
enc0
pflog0
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg queue
.Tg QOS
.Tg pf
.Tg shaping
.Ic show system-stats queues
.Pp
Display currently active
.Xr pf 4
queues.
The output is the same as the
.Xr systat 1
command with the queues argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats queues
   0 users Load 0.01 0.02 0.00                        nsh 00:34:38

QUEUE        BW/FL SCH    PKTS  BYTES  DROP_P DROP_B QLEN BORR SUSP
rootq on em0   20M fifo      0      0       0      0    0
 main          20M fifo      0      0       0      0    0
  qdef       9600K fifo     28   2125       0      0    0
  qweb       9600K fifo      0      0       0      0    0
  sdqpri      700K fifo      0      0       0      0    0
  qdns        200K fifo    549  49360       0      0    0
 spamd       1000  fifo      0      0       0      0    0
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg rules
.Tg pf
.Ic show system-stats rules
.Pp
Display
.Xr pf 4
rule statistics.
The ouput is the same as the
.Xr systat 1
command with the rules argument
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats rules
   0 users Load 0.39 0.17 0.06                          nsh 00:41:41

RU  A D L Q IF   PR   K  PKTS BYTES INFO
 0  B A                     0     0  return all
 1  P A               K  1190 98403  all
 2  M I   Q em0  tcp        0     0  from any to any port = ftp  queue
 3  M I   Q em0  tcp        0     0  from any to any port = www  queue
 4  M O     em0  udp     1152 87696  all  queue qdns
 5  M O     em0  icmp       0     0  all  queue qdef
 6  B I     !lo0 tcp        0     0  turn from any to any port 6000:6
 7  B O L        tcp        0     0  return all user = 55
 8  B O L        udp        0     0  return all user = 55
.Ed
.Pp
sd.Tg statistics
.Tg show
.Tg systat
.Tg pf
.Tg states
.Ic show system-stats states
.Pp
Display list of connections in the PF state table.
.Xr systat 1
command with the states argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats states
   0 users Load 0.03 0.08 0.06                          nsh 00:49:41

PR   D SRC              DEST           STATE   AGE   EXP  PKTS BYTES R
udp  O 10.0.2.1:12678  10.4.89.12:123   2:2   9479    28   600 45600
udp  O 10.0.2.5:23041  10.4.90.12:123   2:2   9479    56   602 45752
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg pf
.Ic show system-stats packet-filter
.Pp
Display general
.Xr pf 4
statistics.
output of the command is identical to that of
.Xr systat 1
command with the pf argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats packet-filter
   0 users Load 0.05 0.10 0.08 (1-42 of 48)           nsh 00:59:36

            TYPE NAME                  VALUE       RATE
              pf Status              Enabled
              pf Since              02:47:57
              pf Debug                   err
              pf Hostid           0xe9bfd8a6

           state Count                     2
           state searches               1322       0.13
           state inserts                   8       0.00
           state removals                  6       0.00

       src track Count                     0
       src track searches                  0       0.00
       src track inserts                   0       0.00
       src track removals                  0       0.00

        fragment Count                     0
        fragment searches                  0       0.00
        fragment inserts                   0       0.00
        fragment removals                  0       0.00

         counter match                     8       0.00
         counter bad-offset                0       0.00
         counter fragment                  0       0.00
         counter short                     0       0.00
         counter normalize                 0       0.00
         counter memory                    0       0.00
         counter bad-timestamp             0       0.00
         counter congestion                0       0.00
         counter ip-option                 0       0.00
         counter proto-cksum               0       0.00
         counter state-mismatch            0       0.00
         counter state-insert              0       0.00
         counter state-limit               0       0.00
         counter src-limit                 0       0.00
         counter synproxy                  0       0.00
         counter translate                 0       0.00
         counter no-route                  0       0.00

   limit counter max states per rule       0       0.00
   limit counter max-src-states            0       0.00
   limit counter max-src-nodes             0       0.00
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg sensor
.Tg hardware
.Tg enviornment
.Ic show system-stats sensors
.Pp
Display live readings from supported hardware sensors
Each address is displayed numerically in the format "hostip:port"
.Xr systat 1
command with the sensors argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats sensors
   0 users Load 0.00 0.00 0.00                          nsh 01:46:11

SENSOR                         VALUE  STATUS  DESCRIPTION
acpibat0.volt0            10.00 V DC          voltage
acpibat0.volt1            10.00 V DC          current voltage
acpibat0.power0               0.00 W          rate
acpibat0.watthour0          50.00 Wh          last full capacity
acpibat0.watthour1           0.10 Wh          warning capacity
acpibat0.watthour2           0.05 Wh          low capacity
acpibat0.watthour3          49.50 Wh    OK    remaining capacity
acpibat0.watthour4          50.00 Wh          design capacity
acpibat0.raw0                  0 raw    OK    battery idle
acpiac0.indicator0                On          power supply
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg top
.Tg pig
.Tg hog
.Tg resource
.Ic show system-stats pigs
.Pp
Display processes resident in main memory and gettting largest
portion of the processor.
This has the same output as the
.Xr systat 1
command with the pigs argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats pigs
   0 users Load 0.00 0.00 0.00                         nsh 02:55:02

     PID USER      NAME       CPU     20\    40\    60\    80\  100\
                   <idle>   88.28 #############################
   13920 _relayd   relayd    2.93
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg virtual-memory
.Tg vmstat
.Tg interrupt
.Tg io
.Tg load
.Tg interface
.Ic show system-stats virtual-memory
.Pp
Display statistics related to virtual memory usage,
process scheduling, device interrupts, system name
translation caching, disk I/O
the output is the same as the
.Xr systat 1
command with no argument or with the vmstat argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats vmstat
   0 users Load 0.01 0.01 0.00                              nsh 02:59:46

            memory totals (in KB)            PAGING SWAPPING   Interrupts
           real   virtual     free           in  out in  out   321 total
Active   368476    368476  5867920   ops                           em0
All     2236328   2236328  5867920   pages                         em1
                                                                 1 ahci0
Proc:r  d  s  w    Csw   Trp   Sys   Int   Sof  Flt     forks      ohci0
         153        41   289   159     1   101  293     fkppw      pckbc0
                                                        fksvm      pckbc0
   0.1%Int   0.0%Spn   0.1%Sys   0.3%Usr  99.5%Idle     pwait  302 clock
|    |    |    |    |    |    |    |    |    |    |     relck   18 ipi
                                                        rlkok
                                                        noram
Namei         Sys-cache    Proc-cache    No-cache    12 ndcpy
    Calls     hits    %    hits     %    miss   %       fltcp
      122      122  100                             280 zfod
                                                        cow
Disks   sd0   cd0   sd1                           67535 fmin
seeks                                             90046 ftarg
xfers     1                                             itarg
speed    7K          2K                               2 wired
  sec   0.0         0.0                                 pdfre
                                                        pdscn
                                                        pzidl       IPKTS
                                                     12 kmape       OPKTS
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg cpu
.Tg processor
.Tg load
.Tg top
.Ic show system-stats cpu
.Pp
Display average usage of each CPU, similar to the summary on the output
of
.Xr top 1
command.
The output is the same as
.Xr systat 1
command with the cpu argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats cpu
   0 users Load 0.00 0.01 0.00                     nsh 03:11:16

CPU    User       Nice    System    Spin   Interrupt        Idle
0      0.0%       0.0%      100%    0.0%        0.0%        0.0%
1      0.0%       0.0%      0.0%    0.0%        0.0%        100%
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg uvm
.Tg swap
.Tg load
.Tg memory
.Ic show system-stats uvm
.Pp
Display statistics for the UVM virtual memory system which manages
access to the computer's memory resources.
User processes and the kernel access these resources through UVM's
external interface.
UVM subsystem manages
.Bl -item -offset indent
.It
initialise UVM subsystems
.It
manage virtual address spaces
.It
resolve page faults
.It
memory map files and devices
.It
perform uio-based I/O to virtual memory
.It
allocate and free kernel virtual memory
.It
allocate and free physical memory
.El
.Pp
The output is the same as the
.Xr systat 1
command with the uvm argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats uvm
   0 users Load 0.02 0.04 0.01                          nsh 03:22:20


 ===== Page Counters    ===== Stats Counters     ===== Fault Counters
 1978K npages           7120K FAULTS                   fltnoram
 1432K FREE             7389K TRAPS                    fltnoanon
 92122 ACTIVE          123678 INTRS                    fltnoamap
173997 inactive         1528K SWTCH                    fltpgwait
       paging           2124K SOFTS                    fltpgrele
     2 wired            6874K SYSCALLS          251193 fltrelck
241374 zeropages              pageins           247509 fltrelckok
    25 PERCPUCACHES           pgswapin          298012 FLTANGET
                              pgswapout                fltanretry
                         1905 forks             356067 FLTAMCOPY
 ===== Pageout Params      11 forks_ppwait       83976 fltnamap
 67535 freemin            764 forks_sharevm     351294 fltnomap
 90046 freetarg         11298 pga_zerohit       400526 FLTLGET
       inactarg          2387 pga_zeromiss      251198 fltget
675354 wiredmax                                 266959 FLT_ANON
    25 anonmin          ===== Daemon Counters    31053 flt_acow
    12 vtextmin               pdwoke            355410 FLT_OBJ
    25 vnodemin               pdrevs             41427 flt_prcopy
    10 anonminpct             pdswout            6439K FLT_PRZERO
     5 vtextminpct            swpgonly
    10 vnodeminpct            pdfreed       ===== Swap Counters
                              pdscans             nswapdev
 ===== Misc Counters          pdanscan            swpages
       fpswtch                pdobscan            swpginuse
    12 kmapent                pdreact             swpgonly
                              pdbusy              nswget
 ===== Constants              pdpageouts
  4096 pagesize               pdpending     ===== Per-CPU Counters
  4095 pagemask               pddeact       6002K PCPHIT
    12 pageshift                           863424 PCPMISS
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg swap
.Tg memory
.Tg load
.Ic show system-stats swap
.Pp
Show information about swap space usage on all the swap areas
compiled into the kernel.
The graph shows the percentage of space in use on each partition.
Areas known to the kernel but not in use are shown as not available.
The output is the same as the
.Xr systat 1
command with the swap argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats swap
   0 users Load 0.04 0.03 0.00                        nsh 03:33:22

DISK  512-blocks USED       20\      40\      60\      80\     100\
                     No swap devices
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg pool
.Tg vmstat
.Ic show system-stats pool
.Pp
Display kernel
.Xr pool 9
statistics simialar to the output the
.Xr vmstat 8
command with the -m switch.
The output is the same as the
.Xr systat 1
command with the pool argument on
.Ox .
.Bd -literal -offset indent
nsh(p)/show system-stats pool
   0 users Load 0.01 0.00 0.00 (1-42 of 164)       nsh 03:41:17

NAME         SIZE REQUESTS FAIL  INUSE  PGREQ  PGREL  NPAGE HIWA
acpiwqpl       32     1978    0      0      1      0      1    1
aesni         576        0    0      0      1      0      1    1
amapchunkpl   152   210000    0   4957    227     35    192  192
amappl         88    21258    0   1223     46     18     28   32
amappl1        80    35443    0   4726    104      2    102  103
amappl10      152      901    0     70      3      0      3    3
amappl11      160      913    0     68      4      1      3    3
amappl12      168     3733    0     89      7      2      5    5
amappl13      176      907    0     35      2      0      2    2
amappl14      184     1619    0     84      6      1      5    5
amappl15      192      665    0     16      2      1      1    1
amappl16      200   305009    0    999    110     53     57   61
amappl2        88    12272    0   1565    130     95     35  108
amappl3        96     6278    0    674     23      6     17   17
amappl4       104     4894    0    501     53     39     14   45
amappl5       112     1569    0    133      8      2      6    6
amappl6       120      158    0    146      8      3      5    5
amappl7       128     1668    0    113      5      1      4    4
amappl8       136     2568    0    178     57     46     11   31
amappl9       144      981    0     81     19     15      4    4
anonpl         24  8040785    0  76043    525     49    476  477
aobjpl         72        4    0      2      1      0      1    1
arp            88        2    0      2      1      0      1    1
art_heap4     256       96    0     96      6      0      6    6
art_heap8    4096        1    0      1      1      0      1    1
art_node       16       22    0     22      1      0      1    1
art_table      32       97    0     97      1      0      1    1
bufpl         280    91099    0  72676   5578    313   5265 5578
dino2pl       256    35129    0  13892    879     10    869  869
dirhash      1024      534    0    498     63      0     63   63
dma128        128        5    0      0      1      1      0    1
dma16          16        2    0      0      1      1      0    1
dma256        256       17    0      0      1      1      0    1
dma32          32       15    0      0      1      1      0    1
dma4096      4096        2    0      0      1      1      0    1
dma512        512        6    0      3      1      0      1    1
dma64          64        3    0      0      1      1      0    1
extentpl       40       66    0     20      1      0      1    1
fdescpl       432     1161    0     69     12      4      8    9
ffsino        240    35129    0  13892    828     10    818  818
filepl        120   192747    0    631     22      1     21   21
futexpl        64     4543    0     27      2      1      1    1
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg pcache
.Tg cpu
.Tg processor
.Tg cache
.Ic show system-stats pcache
.Pp
Display kernel
.Xr pool 9
per CPU Cache statistics.
The output of this command in
.Nm
is the same as the
.Xr systat 1
command with the pcache argument
.Ox
.Bd -literal -offset indent
nsh(p)/show system-stats pcache
   0 users Load 0.00 0.00 0.00                      nsh 07:27:07

NAME     LEN IDLE  NGC  CPU       REQ        REL     LREQ     LREL
knotepl    8    0   34    0   5083315    5082739      134       61
                          1   4391987    4392854       46      153
mbufpl     8    0  192    0    381062     373361     2781     1818
                          1    422272     431527     1841     2996
mcl12k     8    0    1    0       356        365        0        0
                          1       298        313        0        1
mcl16k     8    0    4    0       661        701        6        9
                          1       557        565        7        8
mcl2k      8    0    0    0     17175      17019       50       30
                          1     15455      15628       31       51
mcl2k2     8    0   95    0      1417       1248       22        0
                          1        42        988        0      117
mcl4k      8    0    5    0      4665       4797       13       28
                          1      3807       3731       25       15
mcl64k     8    0    8    0      2619       2894       23       56
                          1      2722       2528       53       28
mcl8k      8    0    2    0      3853       3927       14       22
                          1      3221       3180       20       14
mcl9k      8    0    1    0        82        103        0        1
                          1        71         75        0        0
mtagpl     8    0    0    0         1          2        0        0
                          1         0          0        0        0
pvpl       8    * 3895    0   5773656    5773193   664752   666800
                          1   4615157    4695887   525893   533869
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg cpu
.Tg processor
.Tg malloc
.Tg memory
.Ic show system-stats malloc
.Pp
Display kernel
.Xr malloc 9
type statistic similar to the output of
.Xr vmstat 8
command with the -m switch.
The output is the same as the
.Xr systat 1
command with the malloc argument
.Bd -literal -offset indent
nsh(p)/show system-stats malloc
   0 users Load 0.12 0.03 0.01                      nsh 07:07:43

TYPE          INUSE MEMUSE HIGHUS  LIMIT REQUESTS  BUCKETS
ACPI           2057 248272 418160   220M   120878  |||||.||........
ISOFS mount       1  32768  32768   220M        1  ...........|....
MSDOSFS mount     1  16384  16384   220M        1  ..........|.....
NDP               5     80     80   220M        5  |...............
NFS daemon        1  16384  16384   220M        1  ..........|.....
NFS srvsock       1    128    128   220M        1  ...|............
SYN cache         2  16384  16384   220M        2  .........|......
UFS mount        33  83792  83792   220M       33  |.|||||||.||....
UFS quota         1  32768  32768   220M        1  ...........|....
USB              26   6720   6720   220M       32  |||||..|........
USB HC            1    512    512   220M        1  .....|..........
USB device        6    720    720   220M        8  ||.|.|..........
UVM amap       2711 182528 182656   220M    28453  |||||||..|......
UVM aobj          3   2080   2336   220M        5  |...|..|........
VM map            2   1024   1024   220M        2  .....|..........
VM swap           1     64   2192   220M        4  |.|....|........
counters         48  35200  35200   220M       48  ..|||||.||......
crypto data       1   1024   1024   220M        1  ......|.........
devbuf         2061  2785K  2785K   220M     2974  ||||||||||||||..
dirhash         168  38256  38256   220M      195  |||||||.........
ether_multi       1     64     64   220M        1  ..|.............
exec              0      0   1584   220M     1247  ||..|.|.........
file desc        17  11264  12800   220M       51  .....||.........
ifaddr           25   2176   2176   220M       25  .||.|...........
ifgroup          24   1344   1344   220M       30  .|.|............
in_multi         11    832    832   220M       11  .|.|............
ioctlops          0      0   4096   220M     1592  ....|||||.......
kqueue          108 207360 236032   220M      225  .....|.|........
log               0      0    320   220M        3  ..||............
mount             8   8192   8192   220M        8  ......|.........
pcb              17  12384  12384   220M       17  ||....|.........
pf               19  15424  19200   220M       40  ..|.|..||.......
pinsyscall      132 270336 288768   220M     4212  ....||||........
proc            261 150304 159296   220M      843  |.|...|.||......
rtable           58   1952   2240   220M      195  |||||...........
sem               2    160    160   220M        2  .|.|............
shm               3   5376   5376   220M        3  ....|.|.|.......
sysctl            2    576    576   220M        2  ..|..|..........
tdb               3    768    768   220M        3  ....|...........
temp              9  6793K  6921K   220M   469133  |||||||||||.|..|
ttys             61 207872 207872   220M       61  .....||.|||.....
vnodes           92   6528  81920   220M     1419  ..|||...........
.Ed
.Pp
.Tg statistics
.Tg show
.Tg systat
.Tg malloc
.Tg bucket
.Ic show system-stats bucket
.Pp
Display kernel
.Xr malloc 9
bucket statistics similar to the output of
.Xr vmstat 8
command with the -m switch.
The output is the same as
.Xr systat 1
command with the bucket argument on
.Ox
.Bd -literal -offset indent
nsh(p)/show system-stats bucket
   0 users Load 0.09 0.05 0.01                    nsh 08:56:59

BUCKET     REQUESTS      INUSE      FREE     HIWAT     COULDFREE
16             5377       1472        64      1280             0
32            12847       1106       430       640            58
64           201827        969       823       320          4332
128          161454       2821       187       160           421
256          320113        471         9        80             0
512            2224        174         2        40             0
1024           3680         64         4        20             0
2048           3643        356        12        10           289
4096           2792        559         1         5             0
8192            189         39         1         5             0
16384          1061          9         0         5             0
32768             7          5         0         5             0
65536          2346          0         0         5             0
131072            3          1         0         5             0
262144            0          0         0         5             0
524288            1          1         0         5             0
.Ed
.Pp
.Ic show version
.Pp
Display basic version information about the host and about NSH, including,
 the system's  uptime and kernel version.
It also shows both the kernel that
.Nm
was compiled under, and the
current kernel that
.Nm
is running under.
.Nm
should always be running on a kernel that is of a similar version to the
version of the kernel/header files that
.Nm
was compiled under.
This ensures that
.Nm
can interact with the kernel properly (and vice versa).
.Bd -literal -offset indent
nsh/show version
% NSH v1.1
Compiled 03-Apr-22 06:03 by _pbuild@amd64-1.ports.openbsd.org
uptime: 1 day, 2 hours, 17 minutes
system: OpenBSD/amd64 version 7.1
cpu: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz
memory: 8175MB
kernel: OpenBSD 7.1 (GENERIC.MP) #459: Mon Apr  4 18:16:13 MDT 2022
    deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
.Ed
.Pp
.Ic show crontab
.Pp
Display the scheduled background jobs of the root user which are
managed by
.Xr cron 8 .
See the
.Xr crontab 5
manual page for information about scheduling rules syntax.
.Pp
.Ic show scheduler
.Pp
Alias for the
.Cm show crontab
command described above.
.Pp
.Ic show running-config
.Pp
Display the current running configuration on the system, including
interface and bridge configurations, routes, the system hostname, firewall
rules, and other information compiled by
.Nm .
.Pp
.Ic show startup-config
.Pp
Display the startup configuration on the system, read from nshrc,
including interface and bridge configuration, routes, the system hostname,
firewall rules, and other information compiled by
.Nm .
.Pp
.Ic show diff-config
.Pp
Display differences between the startup configuration and the running
configuration.
This command requires root user privileges.
.Pp
.Ic show environment Op Ar NAME
.Pp
Display environment variables.
If the
.Ar NAME
of a variable is specified then display the value of this variable.
Otherwise, display all existing environment variable names and values.
.Pp
.Tg setenv
.Ic setenv Ar NAME=VALUE
.Pp
Set the environment variable
.Ar NAME
to the specified
.Ar VALUE
.
If a
.Ar NAME
or
.Ar VALUE
contains whitespace then it must be quoted in double-quotes.
For example:
.Bd -literal -offset indent
nsh/setenv EDITOR=/usr/local/bin/emacs
nsh/setenv MY_VARIABLE="this value contains whitespace"
nsh/setenv "MY OTHER VARIABLE"=my-name-contains-whitespace
.Ed
.Pp
Variables set with
.Cm setenv
are valid for the current session and will be inherited to
other programs started by
.Nm
.
The
.Cm saveenv
command can be used to persist variables set by
.Cm setenv
in the file
.Pa ~/.nshenv .
.Pp
.Tg unsetenv
.Ic unsetenv Ar NAME
.Pp
Delete the variable
.Ar NAME
from the environment.
The
.Cm saveenv
command can be used afterwards to delete the variable from
.Pa ~/.nshenv
as well.
.Pp
.Tg saveenv
.Ic saveenv
.Pp
Save variables set by the
.Cm setenv
command to the file
.Pa ~/.nshenv .
If this file exists and is owned by the invoking user then
.Nm
will automatically load environment variables from this file at startup.
.Pp
.Cm saveenv
is only effective for variables set in the current
.Nm
process.
While switching from non-privileged mode to
privileged mode with the
.Cm enable
command a new
.Nm
process will be started.
Any variables set by
.Cm setenv
in non-privileged mode, before
.Cm enable ,
may still appear in the environment of the privileged process.
But a
.Cm saveenv
command run in the privileged process will not save them.
It is necessary to return to unprivileged mode with the
.Cm disable
command in order to save any variables which were set in
unprivileged mode.
.Pp
.Tg flush
.Tg reset
.Tg kill
.Ic flush
.Op routes | arp | ndp | line | bridge-dyn | bridge-all | bridge-rule | pf | history |\&? | help
.Pp
Clear various system tables, from
.Ox
systems such as
.Xr bridge 4
or,
.Xr pf 4
or,
.Xr route 4
or,
.Xr arp 8
or,
.Xr ndp 8 .
.Bd -literal -offset indent
nsh(p)/flush ?
% Commands may be abbreviated.
% 'flush' commands are:

  routes       IP routes
  arp          ARP cache
  ndp          NDP cache
  line         Active user
  bridge-dyn   Dynamically learned bridge addresses
  bridge-all   Dynamic and static bridge addresses
  bridge-rule  Layer 2 filter rules for a bridge member port
  pf           pf NAT/filter/queue rules, states, tables
  history      Command history
  ?            Options
.Ed
.Pp
.Tg route
.Ic flush routes Oo Ic verbose Oc
.Pp
Clear the system routing table.
If the
.Ic verbose
flag is used then show which routes were deleted.
.Pp
.Tg arp
.Ic flush arp Oo Ic verbose Oc
.Pp
Clear the system arp cache and static arp table.
If the
.Ic verbose
flag is used then show which ARP entries were deleted.
.Pp
.Tg ndp
.Ic flush ndp
.Pp
Clear the system NDP cache and static NDP table.
.Pp
.Tg bridge
.Ic flush bridge-dyn
.Ar bridge-name
.Pp
Clear dynamically learned members from the named bridge.
.Bd -literal -offset indent
nsh/flush bridge-dyn bridge0
.Ed
.Pp
Delete all dynamically learned members from bridge0.
Note! any members set manually (static members) are not removed by this
command.
.Pp
.Tg bridge
.Ic flush bridge-all
.Ar bridge-name
.Pp
Clear dynamically and statically learned members from the named bridge.
.Bd -literal -offset indent
nsh/flush bridge-all bridge0
.Ed
.Pp
.Tg bridge
.Ic flush bridge-rule
.Ar bridge-name
.Ar interface-name
.Pp
Clear all rules on the named bridge on the named interface.
.Bd -literal -offset indent
nsh/flush bridge-rule bridge0 vether0
.Ed
.Pp
.Tg history
.Ic flush history
.Pp
Clear the command history
.Pp
.Tg pf
.Tg flush
.Ic flush
.Op all | filter | os-fingerprint | reset | source-table |\
states | stats | tables
.Pp
Clear or reset various aspects of PF firewall states.
The Flush commands implement the
.Ox
.Xr pfctl 8
command with the -F switch and various arguments to specify
the property in PF you wish to flush.
.Bd -literal -offset indent
nsh(p)/flush pf ?
% Arguments may be abbreviated

  flush pf all            all PF elements flush
  flush pf filter         filter rules flush
  flush pf os-fingerprint passive OS detection fingerprints flush
  flush pf reset          limits, timeouts and options flush
  flush pf source-table   source tracking table flush
  flush pf states         NAT/filter states flush
  flush pf stats          info and stats flush
  flush pf tables         PF address tables flush
.Ed
.Tg route
.Op no
.Ic route
.Op destination
.Op Ar /prefixlen | netmask
.Ar gateway
.Op flags
.Pp
Add or remove static routes.
IPv4 addresses can be configured with prefix length in CIDR or dotted decimal
IP netmasks (e.g. 255.255.255.0) to describe the route.
The IPv6 address may only be configured with a prefix length.
This command only runs in privileged mode.
.Bl -dash
.It
e.g. setup routes on the system
.Bd -literal -offset indent
nsh(config-p)/route 192.168.0.0/16 1.2.3.4
.Ed
.It
is equivalent to:
.Bd -literal -offset indent
nsh(config-p)/route 192.168.0.0/255.255.0.0 1.2.3.4
.Ed
.It
Use the
.Ic no
keyword to remove the specific route (if present) in the routing table.
.Bd -literal -offset indent
nsh(config-p)/no route 192.168.0.0/16 1.2.3.4
.Ed
.It
If you do not specify a mask,
.Nm
assumes you are routing a host address (/32 in ipv4).
.Bd -literal -offset indent
nsh(config-p)/route 10.6.6.4 1.2.3.4
.Ed
.It
Routing flags may be defined after a route.
.Bd -literal -offset indent
nsh(config-p)/route 127.0.0.0/8 127.0.0.1 reject
.Ed
.It
or
.Bd -literal -offset indent
nsh(config-p)/route ::/96 ::1 reject
.Ed
.El
.Ss Route Flags
Flags:
.Ic blackhole | cloning | iface | llinfo | nmpath\
 | nostatic | proto1 | proto2 | reject
.Op mtu Ar mtu-bytes
.Op expire Ar seconds
.Bd -literal
blackhole	RTF_BLACKHOLE	discard packets for this route
cloning		RTF_CLONING	generate a new route on use
iface		!RTF_GATEWAY	destination is directly reachable
llinfo		RTF_LLINFO	translates proto addr(l3) to link addr(l2)
nompath		!RTF_MPATH	do not allow multiple gateways for this route
nostatic	!RTF_STATIC	do not save this in the static routing table
proto1		RTF_PROTO1	protocol specific flag #1
proto2		RTF_PROTO2	protocol specific flag #2
reject		RTF_REJECT	reject packets with ICMP unreachable
.Ed
.Tg quit
.Ic quit
.Pp
exit
.Nm
.
.Pp
.Tg verbose
.Op no
.Ic verbose
.Pp
Sets verbose mode on / off.
(By default verbose mode is off).
Use the
.Ic no
keyword turn verbose mode off.
.Bd -literal -offset indent
nsh(p)/verbose
% Diagnostic mode enabled

nsh(p)/no verbose
% Diagnostic mode disabled

.Ed
.Pp
.Tg editing
.Op no
.Ic editing
.Pp
Set command line editing on / off.
(If defaults to on).
Use the
.Ic no
keyword to turn command editing mode off.
.Bd -literal -offset indent
nsh(p)/editing
% Command line editing enabled

nsh(p)/no editing
% Command line editing disabled
.Ed
.Pp
.Tg shell
.Tg ksh
.Tg sh
.Tg csh
.Ic nsh(p)/!
.Ar Cm shell-command
.Op argument-1
.Op Ar argument-n
.Pp
Invoke a shell or run an entered executable with arguments if required.
(requires privileged mode).
The active users login shell is the shell that is invoked by this feature.
This feature can be disabled to restrict users from starting a different
shell or executable from
.Nm
.
If ! is entered without arguments in privilaged mode or global config mode,
no operation will be carried out and the user will be returned to the same
.Nm
command prompt.
If ! is entered without arguments in interface or bridge config mode the,
no operation will be carried out but the user will be returned to the global
configuration mode.
This is to facilitate users interactively copying and pasting
.Nm
configurations between devices which would contain the "!" spacing character.
.Pp
E.g. list files in /root
.Bd -literal -offset indent
nsh(p)/!ls /root

helloworld.c
helloworld2.c

nsh(p)/!ksh

kshprompt#
.Ed
.Pp
.Tg ip
.Op no
.Ic ip
.Op Cm arptimeout | arpdown | carp | carp-log | carp-preempt | forwarding |\
 mforwarding | mtu-path-disc | mtu-disc-timeout | ipip |  gre | wccp | etherip\
 | ipcomp | esp | esp-udpencap | esp-udpencap-port | ah | sourceroute | encdebug\
 | send-redirects | ifq-maxlen |  directed-broadcast | multipath | default-ttl\
 |\&?
.Pp
Modify system kernel ip processing parameters or features.
(requires privileged mode).
.Pp
All commands in this category allow the 'no' modifier to disable the option.
.Bd -literal -offset indent
nsh(config-p)/ip ?
% Commands may be abbreviated.
% 'ip' commands are:

  arptimeout          Seconds for ARP entries to remain in cache
  arpdown             Seconds before resending unanswered ARP requests
  carp                Allow CARP
  carp-log            CARP Logging Priority
  carp-preempt        CARP Virtual Host Preemption
  forwarding          Enable IPv4 Forwarding
  mforwarding         Enable IPv4 Multicast Forwarding
  mtu-path-disc       Enable IPv4 MTU Path Discovery
  mtu-disc-timeout    Seconds that MTU entries remain in Path MTU discovery cache
  ipip                Allow IP-in-IP Encapsulation
  gre                 Allow Generic Route Encapsulation
  wccp                Allow Web Cache Control Protocol
  etherip             Allow Ether-IP Encapsulation
  ipcomp              Allow IP Compression
  esp                 Allow Encapsulated Security Payload
  esp-udpencap        Allow ESP encapsulation within UDP
  esp-udpencap-port   UDP port number for encapsulation
  ah                  Allow Authentication Header
  sourceroute         Process Loose/Strict Source Route Options
  encdebug            Enable if_enc debugging
  send-redirects      Send ICMP redirects
  ifq-maxlen          IPv4 ifqueue max length
  directed-broadcast  Allow directed broadcasts
  multipath           Multipath routing
  default-ttl         Default IP packet TTL
  ?                   Options

.Ed
.Ic ip arptimeout
.Ar seconds
.Pp
Sets the timeout (seconds) for ARP entries to remain in cache on this system.
.Pp
When the system stops receiving ARP packets from the host and, the
.Ic arptimout
seconds pass, the arp entries are removed from the ARP cache.
If a service or user requests to communicate with the IP address of the
removed cache entry the system requests via broadcast an ARP request.
Lower
.Ic arptimeout
values increase the broadcast traffic on the underlying network.
While higher
.Ic arptimeout
values increase the time it takes to resolve a host.
This setting should be the same or lower on a router than the bridge MAC table
timeout on an intermediate bridge.
.Bd -literal -offset indent
nsh(config-p)/ip arptimeout 300
.Ed
.Pp
.Op no
.Ic ip arpdown
.Ar seconds
.Pp
Set or remove configured timeout (seconds) the system waits before resending an
unanswered ARP request.
.Pp
If the ARP system fails to resolve a MAC address, the system waits for
.Ic ip arpdown
number of seconds before retrying.
.Pp
Lower settings increases the broadcast traffic on the underlying network
while higher settings increases the time it takes to resolve a host
(after the host boots up) and on a network that is experiencing packet loss.
.Bd -literal -offset indent
nsh(config-p)/ip arpdown 20
.Ed
.Pp
.Op no
.Ic ip carp
.Pp
Enable or disable
.Xr carp 4
functionality in the system kernel.
Carp is a BSD licensed technology for router redundancy utilising a virtual ip
that floats between 2 or more routers on a LAN segment, it is similar to VRRP
or HSRP.
.Bd -literal -offset indent
nsh(config-p)/ip carp
.Ed
.Pp
.Op no
.Ic ip carp-log
.Ar 0-7
.Pp
Enable or disable logging of carp state change, bad packets and other errors
in the system kernel.
carp-log may be set to a value between 0 and 7 corresponding with standard
syslog(3) priorities.
The default value is 2, which limits logging to changes in CARP state.
.Bd -literal -offset indent
nsh(config-p)/ip carp-log 7
.Ed
.Pp
.Op no
.Ic ip carp-preempt
.Pp
Enable or disable the device taking master role from an existing master carp
router
.Bd -literal -offset indent
nsh(config-p)/ip carp-preempt
.Ed
.Pp
.Op no
.Ic ip forwarding
.Pp
Enable or disable IP packet forwarding in the system kernel.
This must be set in order to use routing, NAT, IPsec or packet filter features.
.Bd -literal -offset indent
nsh(config-p)/ip forwarding
.Ed
.Pp
.Op no
.Ic ip ipip
.Pp
Enable or disable IP-in-IP encapsulation in the system kernel.
.Bd -literal -offset indent
nsh(config-p)/ip ipip
.Ed
.Pp
.Op no
.Ic ip gre
.Pp
Enable or disable Generic Route Encapsulation in the system kernel.
Must be used to enable
.Xr gre 4
interfaces.
.Bd -literal -offset indent
nsh(config-p)/ip gre
.Ed
.Pp
.Op no
.Ic ip wccp
.Pp
Enable or disable GRE-based Web Cache Control Protocol packets to manage
caching device.
Must be used to enable WCCP on
.Xr gre 4
interfaces.
.Bd -literal -offset indent
nsh(config-p)/ip wccp
.Ed
.Pp
.Op no
.Ic ip etherip
.Pp
Enable or disable GRE-based Ether-IP encapsulation in the system kernel.
.Bd -literal -offset indent
nsh(config-p)/ip etherip
.Ed
.Pp
.Op no
.Ic ip ipcomp
.Pp
Enable or disable IPComp internet protocol compression in the system kernel.
.Bd -literal -offset indent
nsh(config-p)/ip ipcomp
.Ed
.Pp
.Op no
.Ic ip esp
.Pp
Enable or disable IPsec Encapsulated Security Payload procesing in the system
kernel.
(Enabled by default.)
.Bd -literal -offset indent
nsh(config-p)/ip esp
.Ed
.Pp
.Op no
.Ic ip esp-udpencap
Enable or Disable processing of UDP encapsulated ESP packets in the system
kernel.
(Enabled by default.)
.Bd -literal -offset indent
nsh(config-p)/ip esp-udpencap
.Ed
.Pp
.Op no
.Ic ip esp-udpencap-port
.Ar 0-65535
Sets the value of the UDP port that triggers decapsulation for incoming
UDP encapsulated ESP packets.
(The default port is 4500) udp encapsulated esp packets are useful for
traversing NAT routers.
.Bd -literal -offset indent
nsh(config-p)/ip esp-udpencap-port 4600
.Ed
.Pp
.Op no
.Ic ip ah
.Pp
Enable or disable IPsec Authentication Header processing in the system kernel.
(Enabled by default.)
.Bd -literal -offset indent
nsh(config-p)/ip ah
.Ed
.Pp
.Op no
.Ic ip sourceroute
.Pp
Enable or disable processing loose or strict source routing options on IP
packet headers.
Do not enable this option on systems connected to the public internet.
.Bd -literal -offset indent
nsh(config-p)/ip sourceroute
.Ed
.Pp
.Op no
.Ic ip encdebug
.Pp
Enable or disable printing debug messages for the
.Xr enc 4
interface to the
kernel output.
Note! Requires a kernel compiled with ENCDEBUG option.
.Bd -literal -offset indent
nsh(config-p)/ip encdebug
.Ed
.Pp
.Op no
.Ic ip send-redirects
.Pp
Controls whether or not the system sends ICMP redirects to local hosts.
(Enabled by default).
.Pp
When there is a direct path on the local network from one host to another, but
one of those hosts chooses to talk through the router instead, the system
sends an ICMP redirect to the originating host.
This redirect tells the host the direct path on the network to send further
packets.
.Bd -literal -offset indent
nsh(config-p)/ip send-redirects
.Ed
.Pp
.Op no
.Ic ip directed-broadcast
.Pp
Enable or disable kernel forwarding of IP traffic to the broadcast address
of any interface on the system.
This setting is useful for limiting certain types of DoS attacks.
.Pp
.Op no
.Ic ip multipath
.Pp
Enable or disable ip multicast forwarding in the system kernel.
(Disabled by default.)
.Bd -literal -offset indent
nsh(config-p)/ip mforwarding
.Ed
.Pp
.Op no
.Ic ip default-ttl
.Ar ttl
.Pp
Sets the default ttl used on IP packets originating from this system.
Valid ttl value is in the range 1-255.
.Pp
The TTL, or time-to-live, is decremented by one each time the packet passes
through another router on the internet.
The default TTL that the system uses is 64, therefore it allows for the
packet to pass through up to 64 routers (also called hops) before reaching
its destination.
The main purpose of the TTL is to avoid routing loops in the network.
.Bd -literal -offset indent
nsh(config-p)/ip default-ttl 128
.Ed
.Pp
.Ic ip \&?
.Pp
Displays the help menu and available ip command options.
.Bd -literal -offset indent
nsh(config-p)/ip ?
.Ed
.Pp
.Tg interface
.Op no
.Ic interface
.Op  inet | ip | autoconf4 | description | group | rdomain | \
 | rtlabel | priority| llpriority | mtu | metric | link | arp | lladdr | nwid\
 | nwkey | powersave | txpower | bssid | media | mediaopt | auth | peer\
 | pppoe | tunnel | tunneldomain | txprio | rxprio | vnetid\
 | vnetflowid | parent | patch | keepalive | mplslabel | pwe\
 | syncdev | syncpeer | maxupd | vhid | advbase | advskew | carppass\
 | carpdev | carpnode | carppeer | balancing | pflow |  debug\
 | dhcrelay | wol |  mpls | inet6 | autoconf6\
 | autoconfprivacy | temporary | monitor |  wgpeer | wgport\
 | wgkey |  wgrtable | trunkport | trunkproto | shutdown | show | |\&?\
 | manual | exit
interface mode commands, are commands that can be applied to a specific
named interface.
.Bd -literal -offset indent
nsh(interface-em0)/?
% Commands may be abbreviated.
% Type 'exit' at a prompt to leave interface configuration mode.
% Interface configuration commands are:

  inet             IPv4/IPv6 addresses
  ip               Alias for "inet" command
  autoconf4        IPv4 Autoconfigurable address (DHCP)
  description      Interface description
  group            Interface group
  rdomain          Interface routing domain
  rtlabel          Interface route labels
  priority         Data packet priority
  llpriority       Link Level packet priority
  mtu              Maximum Transmission Unit
  metric           Routing metric
  link             Link level options
  arp              Address Resolution Protocol
  staticarp        Always use static ARP to find other hosts
  lladdr           Link Level (MAC) Address
  nwid             802.11 network ID
  nwkey            802.11 network key
  powersave        802.11 powersaving mode
  txpower          802.11 transmit power
  bssid            802.11 bss id
  media            Media type
  mediaopt         Media options
  auth             PPP authentication
  peer             PPP peer authentication
  pppoe            PPPoE settings
  tunnel           Tunnel parameters
  tunneldomain     Tunnel routing domain for transit
  txprio           Priority in tunnel protocol headers
  rxprio           Source used for packet priority
  vnetid           Virtual interface network identifier
  vnetflowid       Use part of vnetid as flowid
  parent           Parent interface
  patch            Pair interface
  ping             Send IPv4 ICMP echo request
  ping6            Send IPv6 ICMP echo request
  traceroute       Print the route to IPv4 host
  traceroute6      Print the route to IPv6 host
  ssh              SSH connection to remote host
  telnet           Telnet connection to remote host
  logger           Write a message to syslog on the system
  do               Superfluous, do is ignored and its arguments executed
  setenv           Set an environment variable
  unsetenv         Delete an environment variable
  saveenv          Save environment variables set by setenv to ~/.nshenv
  keepalive        GRE tunnel keepalive
  mplslabel        MPLS local label
  pwe              MPLS PWE3
  syncdev          PFsync control message interface
  syncpeer         PFsync peer address
  maxupd           PFsync max updates, defer first packet
  vhid             CARP virtual host ID
  advbase          CARP advertisement interval
  advskew          CARP advertisement skew
  carppass         CARP passphrase
  carpdev          CARP device
  carpnode         CARP additional vhid/advskew
  carppeer         CARP peer
  balancing        CARP balancing mode
  pflow            pflow data export
  debug            Driver dependent debugging
  dhcrelay         DHCP Relay Agent
  wol              Wake On LAN
  mpls             MPLS
  inet6            IPv6 addresses
  autoconf6        IPv6 Autoconfigurable address
  autoconfprivacy  Privacy addresses for IPv6 autoconf
  temporary        Temporary addresses for IPv6 autoconf
  monitor          Monitor mode for incoming traffic
  wgpeer           Wireguard peer config
  wgport           Wireguard UDP port
  wgkey            Wireguard private key
  wgrtable         Wireguard routing table
  trunkport        Add child interface(s) to trunk
  trunkproto       Define trunkproto
  apn              Access Point Name
  setpin           Set SIM card PIN
  setpuk           Set new SIM card PIN using PUK for validation
  chgpin           Permanently change SIM PIN
  class            Preferred cell classes
  roaming          Enable data roaming
  interface        Modify interface parameters
  shutdown         Shutdown interface
  show             Show system information
  who              Display system users
  verbose          Set verbose diagnostics
  editing          Set command line editing
  !                Invoke a subshell or run an executable
  ?                Options
  manual           Display the NSH manual
  exit             Leave interface config mode and return to global config mode
.Ed
.Pp
.Op no
.Ic inet
.Op Ar address/prefix-length | address/netmask
.Pp
Adds or removes the specified IPv4 or IPv6 address on the interface.
An IPv4 address can be configured with CIDR bitlength, or classic netmask.
.Bd -literal -offset indent
nsh(interface-fxp0)/inet 192.168.100.1/24
.Ed
or
.Bd -literal -offset indent
nsh(interface-fxp0)/inet 192.168.100.1/255.255.255.0
.Ed
.Pp
An IPv6 address may be configured with a network prefix length.
.Bd -literal -offset indent
nsh(interface-lo0)/inet ::1/128
.Ed
.Pp
The command
.Cm no inet
without futher arguments removes all IPv4 addresses from the interface.
The
.Cm no inet6
command (see below) may be used to remove all IPv6 addresses.
.Pp
.Op no
.Ic inet
.Cm autoconf
.Pp
Equivalent to the
.Cm autoconf4
command.
.Pp
.Op no
.Ic inet
.Cm dhcp
.Pp
Equivalent to the
.Cm autoconf4
command.
.Pp
.Op no
.Ic ip
.Pp
Equivalent to the
.Cm inet
command, for convenience.
All parameters accepted by
.Cm inet
are also accepted by
.Cm ip ,
including
.Cm autoconf
and
.Cm dhcp .
.Pp
.Op no
.Ic alias
.Pp
Deprecated and also equivalent to the
.Cm inet
command.
.Pp
.Op no
.Ic autoconf4
.Pp
Enables or disables DHCP on a given (broadcast and layer2 capable)
interface.
.Pp
DHCP client notes:
DHCP client mode takes control of default gateway route.
There is currently no way to control default gateway if DHCP client is used
on multiple interfaces.
The first DHCP client interface to succeed in obtaining a lease sets the
default gateway.
.Pp
.Op no
.Ic description
.Ar text
.Pp
Adds or removes a descriptive label to the interface.
.Bd -literal -offset indent
nsh(interface-em0)/description Chris-WAN01-Link
.Ed
.Pp
.Op no
.Ic group
.Ar group-name
.Op another-group-name...groupname-N
.Pp
Adds or removes a group label to the interface.
The group can then be referred to in other configuration such as the
firewall pf configuration.
This is useful for grouping similar interfaces together and, can reduce the
size of your firewall rule set.
An interface can be a member of multiple groups.
.Bd -literal -offset indent
nsh(interface-em0)/group WAN
.Ed
.Pp
.Tg rdomain
.Op no
.Ic rdomain
.Ar routing-domain-number
.Pp
Set the
.Xr rdomain 4
or routing domain of an interface.
Note that this command clears all existing ip configuration on the interface.
Therefore, you should run this command before any configuring any other
setting on the interface.
.Pp
.Op no
.Ic rtlabel
.Op Ar rtable-id
.Pp
Set or remove the
.Xr rtable 4
id on an interface.
Each
.Xr rdomain 4
can contain multiple
.Xr rtable 4
this feature allows for policy routing within each rdomain.
.Pp
.Op no
.Ic priority
.Ar 0-15
.Pp
Set the interface routing priority to a value in the range of 0 to 15 with
smaller numbers being better.
The default priority of an interface is 0, except for IEEE 802.11 wireless
interfaces (priority 4), umb(4) interfaces (priority 6), and carp(4)
interfaces (priority 15).
The default priority of newly connected routes (routes created by
configuring an IP address on an interface) is calculated by adding 4
(RTP_CONNECTED) to the interface priority.
The default priority of new static routes added to the kernel is calculated
by adding 8 (RTP_STATIC) to the interface priority.
.Pp
.Op no
.Ic llpriority
.Ar 0-7
Sets or remove the priority for link layer communications on the interface
to a value between 0-7
.Xr arp 8
.Xr ndp 8
.Xr bpf 4
.Xr pppoe 4
.Bd -literal -offset indent
nsh(interface-em0)/llpriority 7
.Ed
.Pp
.Op no
.Ic mtu
.Ar mtu-bytes
.Pp
Add or remove a configured Maximum Transmission Unit (MTU) on the interface.
This is the maximum packet size that the operating system is permitted to
transmit.
Use the
.Ic no
keyword to set
.Ic mtu
to reset the interface MTU to the default value for that interface type.
.Pp
The output of 'show interface' displays a 'hardmtu' value which is the
maximum mtu value supported by the hardware and driver currently installed.
The mtu command fails gracefully if the specified mtu exceeds the hardmtu
value of the interface.
.Pp
A larger MTU is particularly useful for underlay interfaces which
encapsulated tunneled traffic traverses or for features which stack tags,
such as
.Xr pppoe 4 ,
.Xr vxlan 4 ,
.Xr etherip 4 ,
.Xr eoip 4 ,
.Xr gre 4 ,
.Xr vlan 4 ,
QinQ, svlan or tagging or QinQ (svlan) tagging and MPLS devices such as
.Xr mpe 4 ,
.Xr mpip 4 ,
and
.Xr mpw 4 .
.Pp
nsh(interface-vr0)/mtu 1600
.Pp
.Op no
.Ic metric
.Ar 0-2147483647
.Pp
Set routing metric for the interface.
Using
.Ic no
keyword
before metric sets the interface metric to the default value of zero.
.Bd -literal -offset indent
nsh(interface-fxp0)/metric 2
.Ed
.Pp
.Op no
.Ic link <0|1|2>
.Pp
Set any of the link flags on the interface.
Using
.Ic no
keyword before
.Ic link XYZ
removes the specified link flags 'XYZ'.
Using
.Ic no
keyword before
.Ic link
removes all link flags from the interface.
.Bd -literal -offset indent
nsh(interface-gre0)/no link 0
.Ed
Each different interface type uses link flags for different purposes.
.Pp
.Tg arp
.Op no
.Ic arp
.Pp
Enable or disable
.Xr arp 8
Address Resolution Protocol ARP on the interface.
(Enabled by default.)
.Bd -literal -offset indent
nsh(interface-fxp0)/arp
nsh(interface-fxp0)/no arp
.Ed
.Pp
.Op no
.Ic staticarp
.Pp
Always use static ARP entries to find other hosts reachable via the interface.
(Disabled by default.)
.Bd -literal -offset indent
nsh(interface-fxp0)/staticarp
nsh(interface-fxp0)/no staticarp
.Ed
.Pp
Only hosts with entries in the static ARP table will be reachable via
the interface.
Static ARP entries can be configured using the
.Cm arp
command in the global context (not the
.Cm arp
command in the interface context).
.Pp
When
.Cm staticarp
is enabled no ARP requests will be sent out on the interface, while
responses to incoming ARP requests for the interface's own addresses
will still be sent.
If ARP was previously disabled on the interface with the
.Cm no arp
command then ARP will be automatically re-enabled to allow outgoing
ARP responses.
.Pp
.Tg macaddress
.Tg lladdr
.Op no
.Ic lladdr
.Ar mac-address | random
.Pp
Set or remove the mac address on the interface.
The administrator can specific a macadress in colon notation e.g.
00:11:22:33:44:55 or random to request a random mac address assignment
for the interface.
.Bd -literal -offset indent
nsh(interface-vether3)/lladdr random
nsh(interface-vether3)/lladdr 00:11:22:33:44:55
.Ed
.Pp
.Op no
.Ic nwid
.Ar network-id
.Pp
Set or remove the configured network ID for an 802.11 capable interface.
Use the
.Ic no
keyword before the
.Ic nwid
to reset to the default value of a blank network ID.
.Pp
.Op no
.Ic nwkey
.Ar key
.Pp
Set the WEP network key for an 802.11 capable interface.
Use the
.Ic no
keyword before nwkey to turn off WEP.
.Pp
.Op no
.Ic powersave
.Ar time
.Pp
Set the 802.11 powersaving mode to X ms of time.
Use the
.Ic no
keyword before powersave to set the powersave mode to the default powersave
time.
.Pp
.Op no
.Ic txpower
.Ar dBm
.Pp
Set the transmit power on an 802.11 radio network interface manually.
Power units are in dBm.
Use the
.Ic no
keyword before
.Ic txpower
to set the radio transmit power to automatic.
.Pp
E.g to set the tx power of iwn0  to 10dBm simply enter the command below:
.Bd -literal -offset indent
nsh(interface-iwn0)/txpower 10
.Ed
.Pp
.Op no
.Ic bssid
.Ar mac-address
.Pp
Set or remove the configured BSSID of a radio interface to a specific
MAC address, the mac-address should be entered in semi colon format
e.g. 12:34:56:78:9a:bc.
.Pp
E.g. set the bssid of radio interface iwn0
.Bd -literal -offset indent
nsh(interface-iwn0)/bssid 12:34:56:78:90:12
.Ed
.Pp
.Op no
.Ic media
.Op type
.Op instance
.Pp
Set the media type of the interface.
Entering media without an argument diplays help for the media settings
available for the interface.
.Pp
E.g. show media settings supported by an intel pro 1000 em(4) interface
.Pp
nsh(interface-em0)media
.Pp
%autoselect | 10baseT | 100baseTx | 1000baseT.
.Pp
E.g to set the speed of the network interface speed to 1000mb/s
.Bd -literal -offset indent
nsh(interface-em0)/media 1000baseT
.Ed
Note! Enabling verbose mode and running show interface <interfacename>
displays all media settings supported by the network interface.
.Bd -literal -offset indent
nsh(p)/verbose
% Diagnostic mode enabled

nsh(p)/sho int vr0
% vr0
  Interface is up (last change 37d 12:16:02), protocol is up
  Interface type Ethernet (Broadcast), hardware address 00:0d:b9:29:6b:50
  Media type autoselect (100baseTX full-duplex), status active
  Internet address 100.64.0.1/24, fe80::20d:b9ff:fe29:6b50%vr0/64
  Routing Domain 0, MTU 1500 bytes (hardmtu 1740), Line Rate 100 Mbps
  187081496 packets input, 232860544316 bytes, 19 errors, 0 drops
  102231197 packets output, 21564487790 bytes, 0 errors, 3267264 unsupported
  1244 input, 210 output (average bytes/packet)
  0 collisions
  Flags:
    <UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>
  Hardware features:
    <CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL>
  Supported media types on vr0:
    media none
    media 10baseT
    media 10baseT, mediaopt full-duplex
    media 100baseTX
    media 100baseTX, mediaopt full-duplex
    media autoselect

.Ed
To force the interface to use a particular media type,
.Bd -literal -offset indent
nsh(interface-vr0)/media 10baseT
.Ed
.Pp
.Op no
.Ic mediaopt
.Ar option
.Pp
Set or remove media options such as full-duplex / half-duplex.
.Pp
e.g to set vr0 interface to full-duplex mode:
.Bd -literal -offset indent
nsh(interface-vr0)/mediaopt full-duplex

nsh(interface-vr0)/no mediaopt full-duplex
.Ed
.Pp
.Op no
.Ic auth
.Cm proto
.Ar pap | chap
.Cm name Ar name-text
.Cm key Ar key-text
.Pp
Set or remove the PPP authentication parameters for the interface.
.Pp
.Op no
.Ic peer
.Cm proto Ar pap | chap
.Cm name Ar name-text
.Cm key Ar key-text
.Op Cm flag Ar callin | norechalange
.Pp
Set or remove configured peer PPP authentication parameters for the interface.
.Pp
.Op no
.Ic tunnel
.Ar source-ip  destination-ip
.Op Cm ttl Ar 0-255
.Op df
.Op ecn
.Pp
Set or remove tunnel assignments with this command.
Note that tunnel assignments are only valid on gif and gre interfaces at
this time.
TODO
.Bd -literal -offset indent
nsh(interface-gre0)/tunnel 12.3.3.3 12.6.6.6
.Ed
.Pp
.Op no
.Ic tunneldomain
.Op rdomain-id
.Pp
Set or remove tunnel routing domain over which tunnel encapsulated packets
are to be exchanged between tunnel ip endpoints.
.Pp
.Op no
.Cm txprio Op Ar 0-7 | packet | payload
.Pp
Set or remove configured transmit priority of the headers of a tunnel interface.
Valid options are standard traffic priority values (0-7) or set the headers
according to encapsulated packet or payload priority.
.Pp
E.g. to set the priority of headers of the tunnel gre1 to match that of the
payload.
.Bd -literal -offset indent
nsh(interface-gre1)/txprio payload
.Ed
.Pp
.Op no
.Cm rxprio Op Ar 0-7 | packet | payload
.Pp
Set or remove configured receive priority of the headers of a tunnel
interfaces are standard traffic priority values (0-7) or set the headers
according to encapsulated packet / payload priority).
.Pp
E.g. to set the priority of headers of tunnel gre1 manually to 7 regardless
of payload:
.Bd -literal -offset indent
nsh(interface-gre1)/rxprio 7
.Ed
.Pp
.Tg vxlan
.Tg vlan
.Tg vnetid
.Tg vni
.Op no
.Cm vnetid Op 0-16777215 | 1-4094
.Pp
On a
.Xr vxlan 4
interface, set or remove the 24 bit virtual network identifier VNI tag.
Virtual network identifier tags are typically used in large multi
tenant VXLAN multiple routing domain environments and have an
acceptable range of 0-16777215.
.Pp
On a
.Xr vlan 4
interface, set or remove the VLAN ID in IEEE 802.1Q vlan tag
If vnetid invoked inside a vlan interface the acceptable range is the
standard 12-bit vlan id 1-4094.
.Pp
E.g. set vxlan100 vnetid to 8192.
.Bd -literal -offset indent
nsh(interface-vxlan100)/vnetid 8192
.Ed
.Pp
.Op no
.Cm vnetflowid
.Pp
Allow or disallow the interface to use a portion of the virtual network
identifier space as a flow identifier.
This allows loadbalancing of the encapsulated traffic over multiple links.
.Pp
E.g. enable vnetflowid load balancing for gre1.
.Bd -literal -offset indent
nsh(interface-gre1)/vnetflowid
.Ed
.Pp
.Op no
.Ic parent
.Ar parent-interface
.Pp
Set or remove the parent interface for a
.Xr vlan 4
interface.
.Pp
E.g. set the parent interface of vlan1024 to em0.
.Bd -literal -offset indent
nsh(interface-vlan1024)/parent em0
.Ed
.Pp
.Tg pair
.Tg patch
.Op no
.Ic patch
.Ar pair-interface-name
.Pp
Set or remove patch (layer1+ connection) between current interface and another
.Xr pair 4
interface.
A patch is a CPU efficient way of forwarding packets between two
.Xr pair 4
interfaces, the forwarding mechanisim is layer1 like a cable what is sent
by one
.Xr pair 4
interface is recived by the other
.Xr pair 4
interface and vice versa.
Patch can only connect two
.Xr pair 4
interfaces, no other interface types are supported.
.Pp
E.g. To connect pair1 and pair2 interfaces with a virtual patch cable.
.Bd -literal -offset indent -compact
nsh(config-p)/interface pair1

nsh(interface-pair1)/patch pair2
.Ed
.Pp
.Op no
.Ic keepalive
.Op Ar period Ar count
.Pp
Enable or disable gre / gre based interfaces sending keepalive packets sent
every period seconds.
A second timer is run with a timeout of count * period.
If no keepalive response is received during that time, the link is considered
down.
The minimal usable count is 2 since the round-trip time of keepalive packets
 needs to be taken into account.
.Pp
E.g. enable keepalives on interface gre1 at 1 second interval and down
count of 3.
.Bd -literal -offset indent
nsh(interface-gre1)/keepalive 1 3
.Ed
.Pp
.Tg mpls
.Tg vpls
.Tg label
.Op no
.Ic mplslabel
.Op Ar 16-1024575
.Pp
Set or remove the local MPLS label to the specified mplslabel this label on
the local system shall de-encapsulated for input.
(MPLS labels 0-15 inclusive are reserved labels and cannot be used).
MPLS labels are supported for
.Xr mpe 4 ,
.Xr mpip 4
and
.Xr mpw 4
interfaces.
.Pp
E.g. set the mpls label to 10240 on interface mpe1.
.Bd -literal -offset indent
nsh(interface-mpe1)/mplslabel 10240
.Ed
.Pp
.Op no
.Ic pwe neighbor
.Op Ar neighbor-label Ar neighbor-ip
.Pp
Set or remove the configuration of the PWE3 neighbor, configured with an MPLS
neighbor label and a neighbor ip.
neighbor-label can be any value 16-1024575.
neighbour-ip should be set to the ip address of the PWE3 neighbor.
.Pp
.Op no
.Ic pwe
.Op Ar cw
.Pp
Enable or disable the use of PWE3 Control Word.
The control word is used to facilitate fragmentation across mpls packets.
This option supported on the
.Xr mpip 4
and
.Xr mpw 4
interfaces.
.Pp
E.g. enable control word on an mpls pseudo wire interface mpw1.
.Bd -literal -offset indent
nsh(interface-mpw1)/pw cw
.Ed
.Pp
.Op no
.Ic pwe
.Op Ar fat
.Pp
Enables or disables the use of PWE flow-aware transport FAT flow label.
This option supported on the
.Xr mpip 4
and
.Xr mpw 4
interfaces.
.Pp
E.g. Enable flow-aware transport flow label on mpls ip interface mpip1
.Bd -literal -offset indent
interface-mpip1)/pw fat
.Ed
.Pp
.Tg pfsync
.Tg sync
.Tg syncdev
.Op no
.Ic syncdev
.Ar syncdev-name
.Pp
Configures or removes the data interface through which pfsync update messages
are sent.
Note that the pfsync protocol currently includes no authentication method.
It is advisable to layer authentication, signing and (possibly encrypted
tunnels for the underlay interfaces.
For simplicity on co-located pfsynced firewalls a secure way to use pfsync,
is through a a direct (layer1 (i.e. no switches)) cable connecting directly
between two pfsync capable devices (i.e. a conenction made with an ethernet
patch cable).
This command is valid only for
.Xr pfsync 4
interfaces.
.Pp
E.g. Set the physical interface em1 as the pfsync0 syncdev
.Bd -literal -offset indent
nsh(interface-pfsync0)/syncdev em1
.Ed
.Pp
.Op no
.Ic syncpeer
.Op Ar ipv4-peer-pfsync-address
.Pp
Set or remove a manually entered ip address of the pfsync interface of a
peer pf sync firewall.
By default, state change messages are sent out on the synchronisation
interface using IP multicast packets to the 224.0.0.240 group address.
When syncpeer ip address is set the sync messages are sent via unicast
to the specified ipv4-peer-pfsync-address.
This command is valid only for
.Xr pfsync 4
interfaces.
.Pp
E.g. set sync messages to use unicast peer ip address 192.0.0.10 which
is reachable via syncdev interface.
.Bd -literal -offset indent
nsh(interface-pfsync0)/syncpeer 192.0.0.10
.Ed
.Pp
.Op no
.Ic maxupd
.Ar 0-255
.Op defer
.Pp
Configures or removes the maximum number of updates which are collapsible into
one for a single state.
The default value is 128.
The transmission a pfsync update packet shall be delayed by a maximum of 1
second.
The defer flag defers the first packet of each connection from being
delivered until the state is active on pfsync peer.
This command is valid only for
.Xr pfsync 4
interfaces.
.Pp
E.g. set the pfsync to aggregate the maximum number of state changes before
sending a pfsync update message (reduce pfsync traffic updates)
.Pp
nsh(interface-pfsync0)/maxupd 255
.Pp
E.g. set pfsync to aggregate a max of 32 state changes in one packet and delay
fowarding of new connection packets until peers pfstate is synchronised use:
.Bd -literal -offset indent
nsh(interface-pfsync0)/maxupd 32 defer
.Ed
.Pp
.Tg carp
.Tg hsrp
.Tg vrrp
.Op no
.Ic vhid
.Op Ar 1-255
.Pp
Configure or remove the virtual host ID for the Common Address Redundancy
CARP protocol.
vhid is valid for
.Xr carp 4
interfaces only.
.Pp
E.g. set virtual router host id on carp0 interface to 12.
.Bd -literal -offset indent
nsh(interface-carp0)/vhid 12
.Ed
.Pp
.Op no
.Ic advbase
.Op Ar 0-254
.Pp
Configure or remove the advertisement interval in seconds for the master host
to advertise itself.
advbase is valid for
.Xr carp 4
interfaces only.
.Pp
E.g. set the advertisement interval to 10 seconds on carp0 interface.
.Bd -literal -offset indent
nshpromot(interface-carp0)/advbase 10
.Ed
.Pp
.Op no
.Ic advskew
.Ar skew
.Pp
Configure or remove the carp advertisement skew on the active carp interface.
The formula is advbase + (advskew / 255).
If the master does not advertise within three times this interval, this host
assumes master role and starts advertising as master.
The device with the highest advskew value is least likely to become master,
a device with a high advskew only becomes master if all other devices are
offline. advskew is valid for
.Xr carp 4
interfaces only.
.Pp
E.g. set the advskew to 20 on carp0 interface.
.Bd -literal -offset indent
nsh(interface-carp0)/advskew 20
.Ed
.Pp
.Op no
.Ic carppass
.Ar passphrase
.Pp
Configure or remove the CARP passphrase of the active interface.
The passphrase can be up to 19 characters long and can contain special
characters.
There is no passphrase by default.
carpass is valid for
.Xr carp 4
interfaces only.
.Pp
E.g. Set carp0 carp passphrase to 19CharPassphrase!!! including exclamation
marks.
.Bd -literal -offset indent
nsh(interface-carp0)/carppass 19CharPassphrase!!!
.Ed
.Pp
.Op no
.Ic carpdev
.Op Ar interface-name
.Pp
Set or remove the interface on which the selected carp interface's carp
advertisements are sent and received.
The carpdev is the "real interface" over which the carp virtual IP is
accessible.
carpdev is valid for
.Xr carp 4
interfaces only.
.Pp
E.g set carp0 to use vlan10 as its carpdev.
.Bd -literal -offset indent
nsh(interface-carp0)/carpdev vlan10
.Ed
.Pp
.Op no
.Ic carpnode
.Op Ar vhid
.Op advskew
.Op state
.Pp
Set or remove carpnode parameter on a carp interface.
carpnode facilitates loadbalancing across carp nodes.
Each carpdevice that you wish to loadbalance should have a carpnode and
advskew entry on each carp device.
carpnode is valid for
.Xr carp 4
interfaces only.
.Pp
E.g. For a 3 node carp cluster, one can setup carpnode loadbalanced entries as
follows.
.Pp
on carp router 1
.Bd -literal -offset indent
nsh(interface-carp0)/carpnode 1 10
.Ed
on caro router 2
.Bd -literal -offset indent
nsh(interface-carp0)/carpnode 1 20
.Ed
on carp router 3
.Bd -literal -offset indent
nsh(interface-carp0)/carpnode 1 30
.Ed
.Pp
.Op no
.Ic carppeer
.Op Ar peer-ip-address
.Pp
Set or remove the carppeer ip address of a carp peer on the active carp
interface.
carppeer is valid for
.Xr carp 4
interfaces only.
.Pp
E.g. set carppeer to 10.2.3.4 on carp0 interface.
.Bd -literal -offset indent
nsh(interface-carp0)/carppeer 10.2.3.4
.Ed
.Pp
.Op no
.Cm balancing Op Ar none | ip | ip-stealth | ip-unicast
.Pp
Set or remove the balancing mode on the active carp interface.
Valid balancing modes are as follows:
.Bl -bullet -compact
.It
none			no load-balancing.
.It
ip 			IP load balancing on top of Layer 2 multicast MAC
			(requires multicast mac support on the network switch)
.It
ip-stealth		carp wont send packets with its own virtual MAC
			address as the source.
			Stealth mode prevents a switch from learning the
			virtual MAC address, therefore the switch would
			 unicast flood traffic to all switch ports
 			(unless there is some swithc acls to prevent flooding
			unnecessarily.
.It
ip-unicast		Used in conjunction with a HUB or a switch that
			can replicate packets (monitoring or mirror) or
			other non-standard switch forwarding mechanism.
.El
Note: IP balancing is being used on a firewall, it is recommended to
configure the carpnodes in a symmetrical manner.
This is achieved by simply using the same carpnodes list on all sides of the
firewall.
This ensures that packets of one connection pass in and out on the same host
and are not routed asymmetrically.
.Pp
balancing is valid when used in
.Xr carp 4
interfaces.
.Pp
E.g. enable standard IP balancing over layer2 multicast mac on carp0 interface
.Pp
nsh(interface-carp0)/balancing ip
.Pp
.Op no
.Ic pflow
.Op Cm sender Ar sender-ip Cm receiver Ar receiver-ip:port
.Op Cm version Ar 5 | 9 | 10
.Pp
Set or remove pflow export to a
.Xr pflow 4
interface.
plfow without arguments displays command help.
To set a up a pflow export the sender-ip and receiver-ip:port must be specified.
The specified pflow sender-ip address must exist on an interface on the
system already.
The receiver-ip:port is the address of the flow collector in your network.
version specifies the export flow prtocol i.e. netflow version (5 or 9) or
the standardised IPFIX (10).
.Pp
The pflow interface attempts aggregate multiple pflow records in one
export UDP packet.
The aggregation algoritim record for longer than 30 seconds.
The packet size and thus the maximum number of flows is controlled by the
mtu of the inteface the flows are exported via.
.Pp
There is a one-to-one correspondence between packets seen by bpf(4) on
the pflow interface and packets sent out to the flow receiver.
I.e. if a packet with 30 flows on pflow, then the same 30 flows were sent out
to the receiver.
.Pp
pflow command is valid only on a
.Xr pflow 4
interface.
.Pp
E.g. to setup a pflow export from 10.1.1.1 to an IPFIX flow collector
listening on another server on 10.1.1.2 port 4739.
.Bd -literal -offset indent
nsh(config-p)/interface pflow0

nsh(interface-pflow0)/pflow sender 10.1.1.1 receiver 10.1.1.2:4379 version 10
.Ed
.Pp
.Op no
.Ic debug
.Pp
Set or remove the driver-dependant debugging flag for an interface.
Useful for troubleshooting.
.Pp
E.g to set debugging on a carp0 interface.
.Bd -literal -offset indent
nsh(interface-carp0)/debug
.Ed
.Pp
.Tg relay
.Tg dhcp
.Tg dhcprelay
.Tg dhcrelay
.Op no
.Ic dhcrelay
.Op Ar dhcp-server-ip
.Pp
Set or remove dhcp relay agent on the selected interface.
The
.Xr dhcrelay 8
service listens on the selected interface for broadcast
dhcp requests and then wrap the recieved broadcast request in a unicast ip
packet and send it to a DHCP server specified by dhcp-server-ip.
.Pp
E.g. set up dhcprelay on em0 and send requests to DHCP server 10.1.1.2
.Bd -literal -offset indent
nsh(interface-em0)/dhcrelay 10.1.1.2
.Ed
.Pp
.Tg wake
.Tg wol
.Op no
.Ic wol
.Pp
Enable or disable WOL (wake on lan) functionality on the selected interface.
The interface and device bios or firmware must support WOL functionality.
.Pp
E.g. to enable wake on lan on interface em0.
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/wol
.Ed
.Pp
.Tg mpls
.Tg vpls
.Tg label
.Op no
.Ic mpls
.Pp
Set or remove the MPLS flag on the selected interface,if mpls is set on the
interface, the interface can send and receive mpls traffic.
.Pp
E.g enable mpls on em0
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/mpls
.Ed
.Pp
.Op no
.Ic inet6
.Op Ar address/prefix-length
.Pp
Adds or removes the specified IPv6 address on the interface.
The IPv6 address may be configured with a network prefix length.
.Bd -literal -offset indent
nsh(interface-lo0)/inet6 ::1/128
.Ed
.Pp
The command
.Cm no inet6
without futher arguments removes all IPv6 addresses from the interface,
including link-local addresses.
.Pp
The command
.Cm inet6
without further arguments enables link-local addresses on the interface.
.Pp
E.g. to enable ipv6 link local address on em0
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/inet6
.Ed
.Pp
.Op no
.Ic inet6
.Cm autoconf
.Pp
Equivalent to the
.Cm autoconf6
command.
.Pp
.Op no
.Ic autoconf6
.Pp
Enable or disable IPv6 auto configuration of Ipv6 address on the inteface.
If autoconf6 is used alone (without temporary or autoconfprivacy being set
on the interface then the autoconfigured address assigned is repeatable based
on the MAC address of the interface (EUI64).
.Pp
E.g. enable ipv6 autoconf address on the interface em0.
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/autoconf6
.Ed
.Pp
.Op no
.Ic temporary
.Pp
Configure or remove temporary address extension for stateless ipv6
autoconfiguaration.
Temporary address assignments prevents a repeatable IPv6 address being assigned
to the device to reduce the possibility of longterm external tracking of
device (users) activity.
.Pp
E.g. enable ipv6 autoconf with a temporary address on the interface em0.
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/autoconf6

nsh(interface-em0)/temporary
.Ed
.Pp
.Op no
.Ic autoconfprivacy
.Pp
deprecated. alias for Cm temporary above.
Randomised addresses used to be called autoconfprivacy extensions for IPv6.
Temporary addressing is a better description as privacy is not necessarily
guaranteed by random IP addressing of a device.
.Pp
E.g. enable ipv6 autoconf with "privacy" random temp address on the
interface em0.
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/autoconf6

nsh(interface-em0)/autoconfprivacy
.Ed
.Pp
.Tg sensor
.Tg monitor
.Tg sniff
.Tg span
.Op no
.Ic monitor
.Pp
Configure or remove the monitor flag on the selected interface.
Prevents the packets being processed in the network stack.
Useful for intrusion detection sniffing and other diagnostics.
.Pp
E.g. to enable ipv6 autoconf with "privacy" random temp address on the
interface em0
.Bd -literal -offset indent
nsh(config-p)/interface em0

nsh(interface-em0)/monitor
.Ed
.Pp
.Tg wireguard
.Tg wg
.Op no
.Cm wgpeer Op Ar public-key
.Op Cm endpoint Ar endpoint-ip:port | Cm aip Ar allowed-ip/prefix | Cm psk Ar pre-shared-key | Cm pka Ar interval-sec
.Pp
Configure or remove a wireguard peer with the peers publickey.
The public-key is 32 bytes and base64-encoded.
.Pp
.Ic pka Ar interval-sec
The persistent keep alive (pka) option sets the interval of keepalive packets
in seconds.
By default pka is is disabled i.e. the interval is 0.
pka can help maintain connectivity to a peer that would otherwise be denied
unsolicited traffic by an intermediate firewall or NAT device.
Empirically, an interval of 25 seconds should suffice for most firewall
configurations.
.Pp
.Ic psk Ar pre-shared-key
The psk and preshared-key is optional but recommended as it supplements the
public key cryptography with symmetric key cryptography.
.Pp
.Ic aip Ar allowed-ip/prefix
Set the peer's allowed IPv4 or IPv6 addresses or prefixes for tunnelled traffic.
The option be repeated to set multiple allowed ip/ranges.
No addresses are allowed by default.
.Bl -dash
.It
E.g set the a peer with the following requirements:
.Bl -bullet
.It
public key EJqeFntM71Dfvn/LDu88gLOWw8aeOHoxrshOEHFd6lQ=
.It
from an ip of 10.1.2.3/32
.It
with a keep alive packet interval of 25 seconds
.El
.El
.Bd -literal -offset indent
nsh(config-p)/interface wg0

nsh(interface-wg0)/wgpeer EJqeFntM71Dfvn/LDu88gLOWw8aeOHoxrshOEHFd6lQ=
aip 10.1.2.3/32 endpoint 10.1.2.3:5252
psk oJo0kNhoF3TElGUXDg4b0H6IJvOiVCAc/tuaJa1nmVU=
.Ed
.Ic wgkey
.Op Ar privatekey
Set the private key of the current
.Xr wg 4
wireguard interface.
When
.Ic wgkey
is run without an argument a new wireguard key is generated for the interface.
The privatekey is 32 bytes and base64-encoded.
.Pp
E.g. set the private key of
.Xr wg 4
wireguard interface wg0 to a specific key.
.Bd -literal -offset indent
nsh(config-p)/interface wg0

nsh(interface-wg0)/wgkey QComa+ca+mWih+Vl/5G/p+UwhYy17hw5vdwysZpIAn0=
.Ed
.Pp
.Op no
.Ic wgport Ar 0-65535
.Pp
Set or remove the configuration for the local UDP port to be used by the
current wireguard interface when exchanging traffic with its wireguard peers.
The interface binds to INADDR_ANY and IN6ADDR_ANY_INIT.
If
.Ic wgport
is entered without an argument wireguard selects its own port automatically.
.Pp
E.g. set wireguard interface wg0 to listen on 18443 UDP.
.Bd -literal -offset indent
nsh(config-p)/interface wg0

nsh(interface-wg0)/wgport 18443
.Ed
.Pp
.Op no
.Ic wgrtable
.Op Ar rtable-id
.Pp
Set or remove the configuration of which routing table the Exchange traffic
with peers under.
The routing table choice is made using rtable-id which would be a value
between 0 and 255 on a default
.Ox
kernel.
The routing domain of the wgrtable does not need be in the same routing domain
to which the interface is attached.
wgrtable configures which
.Xr rdomain 4
the interface's tunnelled traffic appears.
.Pp
E.g. set wireguard interface wg0  routing table to routing domain 5.
.Bd -literal -offset indent
nsh(config-p)/interface wg0

nsh(interface-wg0)/wgrtable 5
.Ed
.Pp
.Op no
.Ic shutdown
.Pp
Administratively turn off or on the current interface.
.Pp
Using this command to shutdown and then turn up an interface resets the
interface.
.Bd -literal -offset indent
nsh(interface-de0)/shutdown
nsh(interface-de0)/no shutdown
.Ed
.Sh Section 5 > Bridge mode commands
see the following man pages for information
.Pp
!man bridge
.Pp
!man ifconfig
.Sh Section 6 > PF mode commands
see the following man pages for information
.Pp
!man pfctl
!man pf.conf
.Sh Section 7 Allowing users to run NSH
The design of
.Ox
requires root privileges to administer the network stack.
.Pp
*NB Security Warning!!!
.Pp
The doas configurations outlined below grant a non-root
.Nm
user the ability to obtain root privileges without knowledge of
the root password.
A user can abuse
.Nm
running as root to run arbitrary commands with the !
shell escape syntax.
.Pp
e.g.
.Bd -literal -offset indet
nsh(p)/!adduser new-unauthorised-user
.Ed
.Pp
Access to root privileges must be restricted to trusted users only.
.Pp
*NB End Security Warning
.Pp
Users with regular shell access can start
.Nm
from another shell.
.Pp
Users will be logged into an
.Nm
session directly if the user account's login shell is set to
.Nm
as follows:
.Bd -literal -offset indent
usermod -s /usr/local/bin/nsh nshuser
.Ed
.Pp
(replace 'nshuser' with the actual user name)
.Pp
If a user has knowlege of the root password they can use the nsh
.Cm enable
command to enter
.Nm
privileged mode with root privileges.
.Pp
If the user should not know the root password then
.Xr doas.conf 5
can be used with nsh arguments restricted to the
.Fl e
option.
.Nm
will attempt to obtain root privileges when privileged mode is entered.
To prevent abuse the user will be required to authenticate again with
their own password.
With a line such as the following in
.Pa /etc/doas.conf
this will succeed:
.Bd -literal -offset indent
permit keepenv stacy as root cmd /usr/local/bin/nsh args -e
.Ed
.Pp
To allow a user to run
.Nm
as root and with arbitrary arguments such as
.Fl c
or
.Fl i ,
configure
.Pa /etc/doas.conf
with a line starting with 'permit' to allow the full path to the
.Nm
binary without any other restrictions.
For example, the following allows user 'stacy' to run
.Nm
as root via
.Xr doas 1
with arbitrary arguments:
.Bd -literal -offset indent
permit keepenv stacy as root cmd /usr/local/bin/nsh
.Ed
.Pp
The user stacy can now start
.Nm
via doas with an arbitrary amount of arguments:
.Bd -literal -offset indent
doas /usr/local/bin/nsh ...
.Ed
.Pp
To allow a restricted user to run a specifc
.Nm
script only, configure /etc/doas.conf to require specific arguments to nsh
that involve the
.Fl c
option.
The following example allows a backupuser to display the running-config:
.Bd -literal -offset indent
permit nopass backupuser as root cmd /usr/local/bin/nsh args -c /etc/showrunconfig.nshrc
.Ed
.Pp
Where the file
.Pa /etc/showrunconfig.nshrc
would not be writable by the backupuser account and would look like this:
.Bd -literal -offset indent
enable
show running-config
quit
.Ed
.Pp
A more standards RBAC based approach would be to create a group
.Dq nshusers
on the system for users with the role of managing the system via nsh.
Then allow users that are members of a group to run
.Nm
using /etc/doas.conf by referring to the groupname rather than just
a single username (the colon before the group name is required by
.Xr doas.conf 5
syntax and signifies a group name argument):
.Bd -literal -offset indent
permit keepenv :nshusers as root cmd /usr/local/bin/nsh args -e
.Ed
.Sh Common interface types
Packet Filter Logging: This interface is used to pass traffic logged by
the firewall to software which can record it.
These interface names start with 'pflog'.
.Pp
IPsec Loopback: This interface is used internally in the system to
pass decapsulated IPsec traffic.
All traffic from this interface has already been authenticated and
unencrypted from the IPsec subsystem.
This is useful when writing firewall rules.
These interface names start with 'enc'.
.Pp
Generic Tunnel: This interface is used to configure a network tunnel to
another host or router.
It follows the RFC1933 tunnelling standard.
These interface names start with 'gif'.
.Pp
Ethernet Bridge: This interface is used to configure layer 2 bridging
between physical and virtual network ports on a system.
These interface names start with 'bridge'.
.Pp
Ethernet: This is a physical Ethernet interface, running at 10, 100, or
1000 megabits per second.
These interface names are based on the name of the driver, and vary with
different Ethernet chip types.
.Pp
IEEE 802.1Q Virtual: This is a virtual Ethernet, Token Ring, or FDDI
interface.
It uses the IEEE 802.1Q protocol to segment real Ethernet interfaces into
multiple layer 2 networks.
These interface names start with 'vlan'.
.Pp
Virtual: This is a virtual interface of any type.
Often several different interfaces use this type.
Several versions of
.Ox
use this type to denote virtual IEEE 802.1Q interfaces, described above.
.Pp
PPP: This interface implements the Point to Point Protocol (PPP).
PPP, described in RFC 1661, creates a network over serial communication lines.
It is used over modem connections, direct serial links, leased lines, and
over virtual IP based connections such as in SSH sessions.
These interface names start with 'ppp' when referring to a version which
supports serial and modem connections.
Other interface types may also implement the Point to Point Protocol.
.Pp
IEEE 802.11 Wireless: This interface implements the IEEE 802.11 wireless
LAN protocol.
Many implementations of this network have little or no security unless used
with proper encryption such as IPsec.
These interface names are based on the name of the driver, and vary with
different wireless chip types.
.Sh Interface flags
.Bl -bullet -compact
.It
.Ic UP
.Pp
  		Interface is up
.Pp
.It
.Ic BROADCAST
.Pp
  		broadcast address valid
.Pp
.It
.Ic DEBUG
.Pp
  		debugging enabled (only some network drivers use this)
.Pp
.It
.Ic LOOPBACK
.Pp
		Interface is a loopback network (internal to the machine)
.Pp
.It
.Ic POINTOPOINT
.Pp
		Interface is point-to-point link
.Pp
.It
.Ic NOARP
.Pp
		Address Resolution Protocol is disabled on this interface
.Pp
.It
.Ic PROMISC
.Pp
 		Interface is in promiscuous mode, the system's software to
		receive all packets visible to the network card,
		even if they are not destined for this host
.Pp
.It
.Ic ALLMULTI
.Pp
		This causes the interface to receive all multicast traffic,
		even for multicast networks that it was not signed up for
.Pp
.It
.Ic OACTIVE
.Pp
		Transmission in progress.
		An interface that displays this flag continuously may be
		stuck.
		You may be able to reset an interface that is in this state
		by using and then reversing the 'shutdown' command from the
		interface menu.
.Pp
		E.g. reset an interface.
.Bd -literal -offset indent
		nsh(p)interface vr0
		nsh(interface-vr0)/shutdown
		nsh(interface-vr0)/no shutdown
.Ed
.It
.Ic SIMPLEX
.Pp
		Can't hear own transmissions
.Pp
.It
.Ic LINK0
.Pp
		This flag has different meanings with different interface\
		 types
.Pp
.It
.Ic LINK1
.Pp
		This flag has different meanings with different interface\
		 types
.Pp
.It
.Ic LINK2
.Pp
		This flag has different meanings with different interface\
		 types
.Pp
.It
.Ic MULTICAST
		This interface supports multicast
.El
.Sh ALTQ notes
TODO
.Sh Interface-specific notes
There are several special interfaces.
.Ss gre
The gre interface allows for tunnel construction using the Cisco GRE
encapsulation protocol.
 You can use the tunnel command under interface mode to create a tunnel.
.Bd -literal -offset indent
nsh(interface-gre0)/tunnel 1.2.3.4 5.5.5.5
.Ed
enc (IPsec Loopback)
.Pp
enc (specifically, enc0) is the encapsulating interface.
It is a software loopback mechanism used to control non-encapsulated IPsec
traffic using the pf firewall ruleset.
It allows an administrator to see outgoing packets before they have been
processed by IPsec, or incoming packets after they have been processed.
.Pp
All traffic out of enc0 is already decrypted and authenticated via IPsec.
Thus, it is helpful when writing firewall rulesets.
.Ss ppp (Point to Point Protocol)
The serial line Point-to-Point protocol uses this interface.
.Ss sl (Serial Line Interface Protocol)
The Serial Line Internet Protocol uses this interface.
.Pp
tun (Tunnel Interface)
.Pp
This is another software loopback mechanism.
It allows user processes to create their own virtual network interfaces.
It is used by the PPPoE implementation.
.Ss gif
This interface is used for RFC 1933 IPv[46] to IPv[46] tunnels.
.Bd -literal -offset indent
nsh(interface-gif0)/tunnel 1.2.3.4 5.5.5.5
.Ed
tunnels can be used between rdomains.
.Bd -literal -offset indent
nsh(interface-gif0)/tunnel 1.2.3.4 5.5.5.5 rdomain 5
.Ed
.Ss pflog
Packets logged from the packet filter are visible on this interface
.Ss vlan
This interface type allows virtual LANs to be setup over an Ethernet
port using the 802.1Q protocol.
E.g. setup a virtual interface with the 192.168.44.1 IP address,
with 802.1Q trunking on the fxp3 physical interface, and a vlan ID of 4.
.Bd -literal -offset indent
nsh(interface-vlan0)/vnetid 4

nsh(interface-vlan0)/parent fxp3

nsh(interface-vlan0)/address 192.168.44.1/24
.Ed
.Ss Svlan
This interface type allows virtual LANs to be setup over an Ethernet
port using 802.1AD provider bridge.
.Pp
This product includes software developed by the University of California,
Berkeley and its contributors.
.Pp
This product includes software developed by Jason L. Wright
.Pp
This product includes software developed by the
.Nx
Foundation Incorporated and its contributors.
.Pp
.Ev EDITOR
was used to specify the name of an (old-style) line editor, such as
.Xr ed 1 ,
and
.Ev VISUAL
was used to specify a (new-style) screen editor, such as
.Xr vi 1 .
Hence if
.Ev VISUAL
is set, it overrides
.Ev EDITOR .
TODO
.Sh ENVIRONMENT
.Bl -tag -width NSH_MANUAL_PAGE
.It Ev NSH_MANUAL_PAGE
.El
The manual page displayed by the built-in
.Cm manual
command.
This must be an absolute path to the
.Xr mdoc 7
file that should be displayed.
Defaults to
.Pa /usr/local/man/man8/nsh.8
.Sh FILES
.Bl -tag -width /etc/suid_profile -compact
.It Pa /etc/nshrc
global configuration file
.It Pa ~/.profile
user's login profile
.It Pa /etc/shells
shell database
.It Pa /etc/suid_profile
privileged shell profile
.It Pa ~/.nshenv
If this file exists and is owned by the invoking user then
.Nm
will automatically load environment variables from this file at startup.
The
.Cm setenv
and
.Cm saveenv
commands can be used to generate this file.
The file will not be loaded if the
.Fl i
or
.Fl c
options are used.
.El
.Sh SEE ALSO
.Bd -ragged -offset indent
.Xr ed 1 ,
.Xr mg 1 ,
.Xr stty 1 ,
.Xr vi 1 ,
.Xr pf 4 ,
.Xr bgpd.conf 5 ,
.Xr dhcpd.conf 5 ,
.Xr ospf6d.conf 5 ,
.Xr ospfd.conf 5 ,
.Xr pf.conf 5 ,
.Xr relayd.conf 5 ,
.Xr resolv.conf 5 ,
.Xr shells 5 ,
.Xr environ 7 ,
.Xr script 7 ,
.Xr bgpd 8 ,
.Xr dhcpd 8 ,
.Xr dhcpleased 8 ,
.Xr dvmrpd 8 ,
.Xr eigrpd 8 ,
.Xr ftpd 8 ,
.Xr ftp-proxy 8 ,
.Xr ifstated 8 ,
.Xr iked 8 ,
.Xr inetd 8 ,
.Xr ipsecctl 8 ,
.Xr ldapd 8
.Xr ldpd 8 ,
.Xr npppd 8 ,
.Xr ntpd 8 ,
.Xr ospf6d 8 ,
.Xr ospfd 8 ,
.Xr pfctl 8 ,
.Xr relayd 8 ,
.Xr resolvd 8 ,
.Xr ripd 8 ,
.Xr rad 8 ,
.Xr sasyncd 8 ,
.Xr slaacd 8 ,
.Xr smtpd 8 ,
.Xr snmpd 8 ,
.Xr sshd 8 ,
.Xr tftp-proxy 8 ,
.Xr tftpd 8 ,
.Ed
.Pp
.Rs
.%A Chris Cappuccio
.%T http://www.nmedia.net/nsh/
.%D 2014-2024
.Re
.Rs
.%A Chris Cappuccio
.%T https://github.com/yellowman/nsh
.%D 2024
.\" The second edition of the below book (1995) is about ksh93,
.\" but the OpenBSD ksh is a descendant from ksh88 via pdksh.
.Re
.Rs
.%A Stephen G. Kochan
.%A Patrick H. Wood
.%B UNIX Shell Programming, 3rd Edition
.%D 2003
.%I Sams
.%O ISBN 0672324903
.Re
.Sh AUTHORS
.An -nosplit
This shell was originally designed and written by
.An Chris Cappuccio Aq Mt chris@nmedia.net ,
and is now co-maintained by
.An Stefan Sperling Aq Mt stsp@openbsd.org
and
.An Tom Smyth Aq Mt tom.smyth@wirelessconnect.eu .
.Sh BUGS